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Abstract. Higher-order pushdown systems (PDSs) generahse pushdown systems through 
the use of higher-order stacks, that is, a nested "stack of stacks" structure. These systems 
may be used to model higher-order programs and are closely related to the Caucal hierarchy 
of infinite graphs and safe higher-order recursion schemes. 

We consider the backwards-reachability problem over higher-order Alternating PDSs 
(APDSs), a generalisation of higher-order PDSs. This builds on and extends previous work 
on pushdown systems and context-free higher-order processes in a non-trivial manner. In 
particular, we show that the set of configurations from which a regular set of higher-order 
APDS configurations is reachable is regular and computable in n-EXPTIME. In fact, the 
problem is n-EXPTIME-complete. 

We show that this work has several applications in the verification of higher-order 
PDSs, such as linear-time model-checking, alternation-free /j,-calculus model-checking and 
the computation of winning regions of reachability games. 



1. Introduction 

1.1. Pushdown Automata and Pushdown Systems. Pushdown automata are an ex- 
tension of finite state automata. In addition to a finite set of control states, a pushdown 
automaton has a stack which can be manipulated with the usual push and pop operations. 
Transitions of the automaton depend on both the current control state and the top item 
of the stack. During the execution of a transition, a push or pop operation is applied to 
the stack. Since there is no bound on the size of the stack, the resulting automaton has an 
infinite number of "states" or configurations, which consist of the current control state and 
the contents of the stack. This allows the definition of such non-regular languages as the 
well known { d"'b"' \ n > }. 

Higher-order pushdown automata (PDA) generalise pushdown automata through the 
use of higher-order stacks. Whereas a stack in the sense of a pushdown automaton is an 
order-one stack — that is, a stack of characters — an order-two stack is a stack of order-one 
stacks. Similarly, an order-three stack is a stack of order-two stacks, and so on. An order-n 
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PDA has push and pop commands for every 1 < I < n. When I > 1 a pop command 
removes the topmost order-/ stack. Conversely, the push command duphcates the topmost 
order-/ stack. 

Higher-order PDA were originally introduced by Maslov ^19j in the 1970s as genera- 
tors of (a hierarchy of) finite word languages. Higher-order pushdown systems (PDSs) are 
higher-order PDA viewed as generators of infinite trees or graphs. These systems provide 
a natural infinite-state model for higher-order programs with recursive function calls and 
are therefore useful in software verification. Several notable advances in recent years have 
sparked off a resurgence of interest in higher-order PDA/PDSs in the Verification commu- 
nity. E.g. Knapik et al. [28] have shown that the ranked trees generated by deterministic 
order-n PDSs are exactly those that are generated by order-n recursion schemes satisfy- 
ing the safety constraint; Carayol and Wohrle [5] have shown that the e-closure of the 
configuration graphs of higher-order PDSs exactly constitute Caucal's graph hierarchy [8]. 
Remarkably these infinite trees and graphs have decidable monadic second-order (MSO) 
theories [SIEIISH]. 

1.2. Backwards Reachability. The decidability results discussed above only allow us to 
check that a property holds from a given configuration. Alternatively, we may wish to 
compute the set of configurations that satisfy a given property, especially since there may 
be an infinite number of such configurations. An important step in solving this problem is 
the backwards reachability problem. That is, given a set of configurations Cjnit, compute 
the set of configurations that can, via any number of transitions, reach a configuration in 
Cinit- This is an important verification problem in its own right: many properties required 
in industry are safety properties — that is, an undesirable program state (such as deadlock) 
is never reached. 

This problem was solved for order-one pushdown systems by Bouajjani et al. In 
particular, they gave a method for computing the regular set of configurations Pre*{Cjnit) 
that could reach a given regular set of configurations Cinit- A regular set of configurations 
is represented in the form of a finite multi-automaton. That is, a finite automaton that 
accepts finite words (representing stacks) with an initial state for each control state of the 
PDS. A configuration is accepted if the stack (viewed as a word) is accepted from the 
appropriate initial state. Pre* {Cinit) is computed through the addition of a number of 
transitions, determined by the transition relation of the PDS, to the automaton accepting 
Cinit-, until a fixed point is reached. A fixed point is guaranteed since no states are added 
and the alphabet is finite: eventually the automaton will become saturated. 

This idea was generalised by Bouajjani and Meyer to the case of higher-order context- 
free systems yj, which are higher-order PDSs with a single control state. A key innovation 
in their work was the introduction of a new class of (finite-state) automata called nested 
store automata, which captures an intuitive notion of regular sets of n-stores. An order-n 
nested store automaton is a finite automaton whose transitions are labelled by order-(n — 1) 
nested store automata. In this way the structure of a higher-order store is reflected. The 
procedure is similar to the algorithm for the order-one case: transitions are added until a 
flxed point is reached. Termination in this case is more subtle. Since products are formed 
when processing higher-order push commands, the state space increases. However, it can 
be shown that only a finite number of products will be constructed and that termination 
follows. 



SYMBOLIC BACKWARDS-REACHABILITY ANALYSIS FOR HIGHER-ORDER PUSHDOWN SYSTEMS 3 



Bouajjani and Meyer also show that forward reachabihty analysis does not result in 
regular sets of configurations. 

1.3. Our Contribution. Our paper is concerned with the non-trivial proble nfl of ex- 
tending the backwards reachability result of Bouajjani and Meyer to the general case of 
higher-order PDSs (by taking into account a set of control states). In fact, we consider 
(and solve) the backwards reachability problem for the more general case of higher-order 
alternating pushdown systems (APDSs). Though slightly unwieldy, an advantage of the 
alternating framework is that it conveniently lends itself to a number of higher-order PDS 
verification problems. Following the work of Cachat [25], we show that the winning region 
of a reachability game played over a higher-order PDS can be computed by a reduction to 
the backwards reachability problem of an appropriate APDS. We also generalise results due 
to Bouajjani et al. [2j to give a method for computing the set of configurations of a higher- 
order PDS that satisfy a given formula of the alternation-free //-calculus or a linear-time 
temporal logic. 

The algorithm uses a similar form of nested automata to represent configurations and 
uses a similar routine of adding transitions determined by the transition relation of the 
higher-order APDS. However, naive combinations of the multi-automaton and nested-store 
automaton techniques do not lead to satisfactory solutions. During our own efforts with 
simple combined techniques, it was unclear how to form the product of two automata and 
maintain a distinction between the different control states as required. To perform such an 
operation safely it seemed that additional states were required on top of those added by the 
basic product operation, invalidating the termination arguments. We overcome this problem 
by using alternating automata and by modifying the termination argument. Additionally, 
we reduce the complexity of Bouajjani and Meyer from a tower of exponentials twice the size 
of n, to a tower of exponentials as large as n. In fact, the problem is n-EXPTIME-complete. 

Termination is reached through a cascading of fixed points. Given a (nested) store- 
automaton, we fix the order-n state-set. During a number of iterations, we add a finitely 
bounded number of new transitions to order n of the automaton. We also update the 
automata labelling the previously added transitions to reflect the new transition structure. 
Eventually we reach a stage where no new transitions are being added at order n, although 
the automata labelling their edges will continue to be replaced. At this point the updates 
become repetitive and we are able to freeze the state-set at the second highest order. This 
is done by adding possibly cyclical transitions between the existing states, instead of chains 
of transitions between an inflnite set of new states. Because the state-set does not change, 
we reach another flxed point similar to that at order n. In this way the flxed points cascade 
to order-one, where the finite alphabet ensures that the automaton eventually becomes 
saturated. We are left with an automaton representing the set Pre*{Cjnit)- 

1.4. Related Work. In this section we discuss several areas of related work. These are 
higher-order pushdown games, alternative notions of regularity, and higher-order recursion 
schemes. 



"This does not seem to be technically trivial, and naive extensions of our construction lead to procedures 
which are not guaranteed to terminate." pj p. 145] 
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1.4.1. Higher- Order Pushdown Games. The definition of liigher-order PDSs may be ex- 
tended to higlier-order puslidown games. In this scenario, control states are partitioned 
into to sets 3 and V. When the current configuration contains a control state in 3, the 
player Eloise chooses the next configuration with respect to the transition relation. Con- 
versely, Abelard chooses the next transition from a control state in V. The winner of the 
game depends on the winning condition. A configuration is winning for Eloise if she can 
satisfy the winning condition regardless of the choices made by Abelard. A winning region 
for Eloise is the set of all configurations from which Eloise can force a win. Two particular 
problems for these games are calculating whether a given configuration is winning for Eloise 
and computing the winning region for Eloise. 

In the order-one case, the problem of determining whether a configuration is winning 
for Eloise with a parity winning condition was solved by Walukiewicz in 1996 [12j. The 
order-one backwards reachability algorithm of Bouajjani et al. was adapted by Cachat to 
compute the winning regions of order-one reachability and Biichi games [25]. Techniques 
for computing winning regions in the order-one case when the winning condition is a parity 
condition have been discovered independently by both Cachat [25] and Serre [20]. These 
results for pushdown games have been extended to a number of winning conditions [271 El 
\TT \ \21 \ \7\. In the higher-order case with a parity winning condition, a method for deciding 
whether a configuration is winning has been provided by Cachat [25] . 

1.4.2. C- Regularity. Prompted by the fact that the set of configurations reachable from a 
given configuration of a higher-order PDS is not regular in the sense of Bouajjani and Meyer 
(the stack contents cannot be represented by a finite automaton over words), Carayol [4J has 
proposed an alternative definition of regularity for higher-order stacks, which we shall call 
C-regularity. Our notion of regularity coincides with that of Bouajjani and Meyer, which, 
when confusion may arise, we shall call BM-regularity. 

A set of order-n stacks is C-regular if it is obtained by a regular sequence of order-n 
stack operations. This notion of regularity is not equivalent to BM-regularity. For example, 
the set of order-2 stacks defined by the expression (pusha)* ; push2 are all stacks of the form 
[[a"] [a"]]. This set is clearly unrecognisable by any finite state automaton, and thus, it is 
not BM-regular. 

Carayol shows that C-regularity coincides with MSO definability over the canonical 
structure associated with order-n stacks. This implies, for instance, that the winning 
region of a parity game over an order-n pushdown graph is also C-regular, as it can be 
defined as an MSO formula [25]. 

In this paper we solve the backwards reachability problem for higher-order PDSs and 
apply the solution to reachability games and model-checking. In this sense we give a weaker 
kind of result that uses a different notion of regularity. Because C-regularity does not imply 
BM-regularity, our result is not subsumed by the work of Carayol. However, a detailed 
comparison of the two approaches may provide a fruitful direction for further research. 

1.4.3. Higher-Order Recursion Schemes. Higher-order recursion schemes (HORSs) repre- 
sent a further area of related work. A long standing open problem is whether a condition 
called safety is a genuine restriction on the expressiveness of a HORS. If not, then HORSs 
are equivalent to higher-order PDSs. It is known that safety is not a restriction at order- two 
for word languages [15]. This is conjectured not to be the case at higher orders. 
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MSO decidability for trees generated by arbitrary (i.e. not necessarily safe) HORSs has 
been shown by Ong [22]. A variant kind of higher-order PDSs called collapsible pushdown 
automata (extending panic automata [29] or pushdown automata with links [T5] to all finite 
orders) has recently been shown to be equi-expressive with HORSs for generating ranked 
trees [T7]. These new automata are conjectured to enrich the class of higher-order systems 
and provide many new avenues of research. 

1.5. Document Structure. In Section [2] we give the definitions of higher-order (A)PDS 
and n-store multi-automata. We describe the backwards-reachability algorithm in the order- 
two case in three stages in Section [3j firstly we use an example to give an intuitive explana- 
tion of the algorithm. We then give a description of its framework and explain how we can 
generate an infinite sequence of 2-store multi-automata capturing the set Pre* {Cinit}- Fi- 
nally, we show how this sequence can be finitely represented (and constructed). The section 
finishes with a brief discussion of the order-n case, and the complexity of the algorithm. 
Section [H discusses the applications of the main result to LTL model-checking, reachability 
games and alternation-free /i-calculus model-checking over higher-order PDSs. Finally, we 
conclude in Section [5l Additional proofs and algorithms are given in the appendix. 

2. Preliminaries 

2.1. Alternation. In the sequel we will introduce several kinds of alternating automata. 
For convenience, we will use a non-standard definition of alternating automata that is 
equivalent to the standard definitions of Brzozowski and Leiss [13] and Chandra, Kozen and 
Stockmeyer [6]. Similar definitions have been used for the analysis of pushdown systems by 
Bouajjani et al. [2] and Cachat [25]. The alternating transition relation AC Qxrx2^ — 
where F is an alphabet and Q is a state-set — is given in disjunctive normal form. That is, 
the image A{q, 7) of g € Q and 7 G F is a set {Qi, ■ ■ ■ , Qm} with Qi G 2^ for i € {1, ... , m}. 
When the automaton is viewed as a game, Eloise — the existential player — chooses a set 
Q € A((7, 7); Abelard — the universal player — then chooses a state q (z Q. The existential 
component of the automaton is reflected in Eloise's selection of an element (9,7, Q) from A 
for a given q and 7. Abelard's choice of a state q from Q represents the universal aspect of 
the automaton. 

2.2. (Alternating) Higher-Order Pushdown Systems. A higher-order pushdown sys- 
tem comprises a finite set of control states and a higher-order store. Transitions of the 
higher-order PDS depend on both the current control state and the top symbol of the 
higher-order store. Each transition changes the control state and manipulates the store. 

The main result of this paper is presented over alternating higher-order pushdown 
systems. This is because, although we apply our results to higher-order PDSs, the power 
of alternation is required to provide solutions to reachability games and alternation-free 
mii-calculus model-checking over higher-order PDSs. 

We begin by defining higher-order stores and their operations. We will then define 
higher-order PDSs in full. 
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Definition 2.1 (n-Stores). The set of 1-stores over an alphabet S is the set of words 
of the form [oi, . . . , am] with m > and Oj G S for all i E {!,..., m}, S and ] ^ S. For 
n > 1, = . . . , Wm] with m > 1 and Wi G C^_i for alH G {1, . . . , m}. 

There are three types of operations applicable to n-stores: push, pop and top. These 
are defined inductively. Over a 1-store, we have (for all w G S*), 



pushu, [ai 
topi [ai 

We may define the abbreviation popi - 



■ ■am] = [wa2 ■■■am] 

■ ■ «m] = Ol 

: pushf,. When n > 1, we have, 



pushyj[-ii . 


■7m] 


= b'"'5^«'(7l)72 • • •7m] 




pushilji . 


•7m] 


= \pushi{'ji)-f2 ■ ■ ■ Im] 


if 2 < / < n 


pushn hi . 


■7m] 


= [717172 • • • 7m] 




popiYii . 


•7m] 


= bow(7i)72 • • •7m] 


if 1 < / < n 


POPn hl ■ 


•7m] 


= [72 • • • 7m] 


if m > 1 


top/ [71 . 


•7m] 


= topi{ji) 


if 1 < / < n 


topn hl ■ 


•7m] 


= 71 





Note that we assume without loss of generality S n = 0, where TV is the set of natural 
numbers. Furthermore, observe that when m = 1, popn is undefined. We define On = 
{ pushw I G S* } U { pushi,popi | 1 < Z < n }. The definition of higher-order PDSs 
follows, 

Definition 2.2. An order-n PDS is a tuple {'P,'D,T,) where "P is a finite set of control 
states p, P C P X S X On x V is a. finite set of commands d, and S is a finite alphabet. 

A configuration of a higher-order PDS is a pair {p, 7) where p (z V and 7 is an n-store. 
We have a transition (p, 7) ^ {p' , 7') iff we have {p, a, o,p') G V, topi{'y) = a and 7' = 0(7). 

We define ^ to be the transitive closure of For a set of configurations Cjnit 
we define Pre*{Cinit) as the set of configurations (p, 7) such that, for some configuration 
(p',7') G Cinit, we have (^,7) A (p',7'). 

We may generalise this definition to the case of Alternating higher-order PDSs. 

Definition 2.3. An order-n APDS is a tuple {V,T>,Tj) where "P is a finite set of control 
states p, V C V X S X 2^"^^ is a finite set of commands d, and S is a finite alphabet. 

A configuration of a higher-order APDS is a pair {p, 7) where p G "P and 7 is an n-store. 
We have a transition (p, 7) ^ C iff we have (p, a, OP) G V, topi{'y) = a, and 

C = { {p',-f') I (o,p') G OP A 7' = 0(7) }U{ (p, V) I if (o,p') G OP and 0(7) is not defined } 

The transition relation generalises to sets of configurations via the following rule: 

(p,7) ^ C , 

C'u(p,7) - cue ^^'^^^^ 

to be the transitive closure of For a set of configurations Cinit we 
) as the set of configurations (p, 7) such that we have (p, 7) ^ C and 



We define ^ 
define Pre* {Ci nit 



Example 2.4. We present an example to illustrate the definition of Pre*{Cinit) for higher- 
order APDSs. Figured] shows an excerpt of the configuration graph of a higher-order APDS 
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I \ 

] (p^ 04(02(7))) ] 

\ ,02(7); 



I (/,03(7)> — Li / 5 / / ^^\ ' 
\ /I (P ,05(03(7))) I 



Figure 1: The configuration graph (excerpt) of an example higher-order APDS. 
with the commands, 

{p\.,{{02,P%{03,pm 
(p2,_,{(04,P^)}) 

(p3,_,{(05,/)}) 

We consider a number of different values of Cjnit- 

(1) Let Cinit = {(^^,02(7))}. In this case Pre*{Cinit) = Cinit- The configuration {p^,^) is 
not in Pre* {Cinit) since the configuration (^^,03(7)) cannot be in Pre*{Cinit)- 

(2) Let Cinit = {(^2,02(7)), (P^03(7)>}• In this case Pre* {Cinit) = Cinit U This 
is because the transition from {p^,j) reaches a set that is a subset of Cinit- 

(3) Let Cinit = {(P^, 04(02(7)))}. In this case Pre* {Cinit) = Cinit U {(^^,02(7)}. The 
configuration (^^,02(7)) is in the set because its transition moves to a set which is a 
subset of Cinit- The pair (p^,^) is not in the set because, although (^^,02(7)) is in 
Pre*{Cinit), the configuration (^'^,03(7)) is not. 

(4) Let Cinit = {(P*^, 04(02(7))), (p^, 03(7))}. In this case Pre* {Cinit) is the set Cinit U 

02(7)), (p^, 7)}. We have (^^,02(7)) G Pre*{Cinit) as before. Furthermore, we 
have the following run from (p^ , 7) , 

{p\i) {(p', 02(7)), 03(7))} {(p^ 04(02(7))), 03(7))} 

Hence, (p\7) G Pre*{Cinit)- 
Finally, suppose the higher-order APDS also has a command of the form, 

(/,_, {(pUs/l;,/)}) 

And it is the case that (only) pushi{o^{o-i{'^))) is undefined. If Cinit = {(p^,V)}, then 
Pre* {Cinit) = Cinit U {(/, 05(03(7))), (P',03(7))}- 

Observe that since no transitions are possible from an "undefined" configuration (p, v) 
we can reduce the reachability problem for higher-order PDSs to the reachability problem 
over higher-order APDSs in a straightforward manner. 

In the sequel, to ease the presentation, we assume n > 1. The case n = 1 was investi- 
gated by Bouajjani et al. [2]. 
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2.3. n-Store Multi- Automata. To represent sets of configurations symbolically we will 
use n-store multi- automata. These are alternating automata whose transitions are labelled 
by (n — 1) -store automata, which are also alternating. A set of configurations is regular iff 
it can be represented using an n-store multi-automaton. This notion of regularity coincides 
with the definition of Bouajjani and Meyer (see Appendix [Aj) . In Appendix [B] we give 
algorithms for enumerating runs of n-store automata, testing membership and performing 
boolean operations on the automata. 

Definition 2.5. 

(1) A 1-store automaton is a tuple (Q, S, A, qq, Qf) where Q is a finite set of states, S is a 
finite alphabet, qq is the initial state and Qf ^ Q is a set of final states. It is the case 
that ACQxSx22isa finite transition relation. 

(2) Let ^n-i be the (infinite) set of all (n — l)-store automata over the alphabet S. An n- 
store automaton over the alphabet S is a tuple {Q,T,, A,qQ, Qf) where Q is a finite set of 
states, qo ^ Qf is the initial state, Qf C Q is a set of final states, and A C Qx^B^_i x2^ 
is a finite transition relation. Furthermore, let *Bq = S. 

(3) An n-store multi- automaton over the alphabet S is a tuple 

iQ,i:,A,{q\...,q'},Qf) 

where Q is a finite set of states, S is a finite alphabet, for i e {1, . . . , z} are pairwise 
distinct initial states with ^ Qf and G Q; Q/ C Q is a set of final states, and, 

A C (Q X X 22) U [{q\ . . . , g^} x {v} x {q)}) 

is a finite transition relation where q^^ ^ Qf has no outgoing transitions. 

To indicate a transition (g, B, {gi, . . . , qmS) G A we write, 

q {gi, • • • ,9m} 

A transition of the form ^1}^ indicates that the undefined configuration {p' , v) is 

accepted. Runs of the automata from a state q take the form, 

jBo r 1 1 1 _Bl Brn ( m+l 

where transitions between configurations {qf, . . . , qmS\ ~^ {^i"*"^; • • • , Q'mtli} such that 
we have q^ Qy for all y G {!,..., m^.} and Uye{i,...,m,} Qj/ = W • • • , 9mtli I and 
additionally Uj,g{i m^ji^y} ~ Observe that Bq is necessarily a singleton set. A run 
over a word 71 ... 7m) denoted q '^^"'^'"> Q, exists whenever, 

q > ... >Q 

and for all < i < m.^i G C{Bi), where 7 G jC{B) iff 7 G C{B) (defined below) for all 
B & B. If a run occurs in an automaton forming part of a sequence of automata Aq, Ai, . . 
we may write — >i to indicate which automaton Ai the run belongs to. 

We define C{a) = a for all a G S = 5Bq . An n-store [71 . . . 7m] is accepted by an n-store 
automaton A (that is [71 . . . 7m] G C{A)) iff we have a run go "^^ '^'"> Q in ^ with Q ^ Qf. 
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For a given n-store multi-automaton A = (Q, S, A, {q^ , . . . ,q^}, Qf) we define, 

U{v\q^ ^ {qj} } 

and 

CiA) = {{p^,^) \je{l,...,z}AjeCiA'^') } 
Finally, we define the automata for all 1 < / < n and a G S and the notation q^. 
The /-store automaton accepts any /-store 7 such that topi{'~f) = a. If represents a 
store automaton, the state q^ refers to the initial state of the automaton represented by 9. 

3. Backwards Reachability: The Order-Two Case 

Since the backwards reachability problem for higher-order PDSs permits a direct re- 
duction to the same problem for higher-order APDSs, we solve the backwards reachability 
problem for higher-order APDSs. Due to space constraints we present the order-2 case. The 
general case is addressed briefly at the end of this section and is due to appear in Hague's 
Ph.D. thesis [IB]. 

Theorem 3.1. Given an 2-store multi- automaton Aq accepting the set of configurations 
Cinit of an order-2 APDS, we can construct in 2-EXPTIME (in the size of Aq) an 2-store 
multi- automaton accepting the set Pre*{Cinit)- Thus, Pre*{Cinit) is regular. □ 

Fix an order-2 APDS. We begin by showing how to generate an infinite sequence of 
automata Aq,Ai,..., where ^0 is such that C{Aq) = Cjnit- This sequence is increasing 
in the sense that C{Ai) C for all i, and sound and complete with respect to 

Pre*{Cinit)', that is IJ^^q C{Ai) = Pre*{Cinit)- To conclude the algorithm, we construct a 
single automaton A^ such that >C(A*) = |J^>Q>C(Aj). 

We assume, without loss of generality, that all initial states in Aq have no incoming 
transitions and there exists in ^0 a state q^ from which all valid 2-stores are accepted and 
a state qj Qf that has no outgoing transitions. 

3.1. Example. We give an intuitive explanation of the algorithm by means of an example. 
Fix the following two-state order- two PDS: 

di = {p^,a,push2,p^) 
d2 = {p^,a,pushe,p^) 
d3 = {p'^, a, pushy,, p^) 
di = {p'^,a,pop2,p^) 

And a 2-store multi-automaton ^0 shown in Figure [2] with some Bi,B2,B3 and B4. 

We proceed via a number of iterations, generating the automata Aq, Ai, . . .. We con- 
struct j4j+i from Ai to reflect an additional inverse application of the commands di, . . . , ^4. 
Rather than manipulating the order- 1 store automata labelling the edges of Aq directly, we 
introduce new transitions (at most one between each pair of states qi and (72) and label 

these edges with the set Gj n. This set is a recipe for the construction of an order- 1 

(91,92) ^ _ 

store automaton that will ultimately label the edge. The set is the set of all sets G^^^ 
introduced. The resulting Ai is given in Figure [3] where the contents of 

y - i'-{gl,o)' '-{g2,o)> ^(g2,gl)l 
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Figure 2: The initial 2-store multi- automaton 




Figure 3: The automaton Ai 



c 




d2 










{{a,pushs,Bi)} 








{B\, Bi,B3} 














{{a,pushw,Bi)} 












{B-} 

J 



Table 1: The contents of the sets in Q . 

are given in Tabled! The columns indicate which command introduced each element to the 
set. 

To process the command di we need to add to the set of configurations accepted by 
Ai all configurations of the form (pi, [71 . . .7^]) with topi(7i) = a for each configuration 
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Figure 4: The automaton A2- 



(pi, [7171 • • • 7m]) accepted by Aq. This is because push2[yi ... 7m] = [7i7i • • • 7m]- Hence 
we add the transition from to qj. The contents of G^^i indicate that this edge must 
accept the product of Bf, Bi and 

The commands d2 and update the top2 stack of any configuration accepted from q^ 
or q^ respectively. In both cases this updated stack must be accepted from q^ in Aq. Hence, 
the contents of G^^i and G^^2 „■) specify that the automaton Bi must be manipulated to 
produce the automaton that will label these new transitions. Finally, since pop2[^i ■ ■ ■ 7m] = 
[72 . • •7m]) ^4 requires an additional top2 stack with a as its topi element to be added to 
any stack accepted from q^. Thus, we introduce the transition from q^ to q^. 

To construct A2 from Ai we repeat the above procedure, taking into account the addi- 
tional transitions in Ai. Observe that we do not add additional transitions between pairs 
of states that already have a transition labelled by a set. Instead, each labelling set may 
contain several element sets. The resulting A2 is given in Figure S] where the contents of 

/-<1 r ry2 y^2 y^2 y^2 y^2 \ 

are given in Table [21 The columns indicate which command introduced each element to the 
set. 

If we were to repeat this procedure to construct A3 we would notice that a kind of fixed 
point has been reached. In particular, the transition structure of A3 will match that of A2 
and each will match in everything but the indices of the labels ^ appearing 

in the element sets. We may write Gfqq'^ = G'^gg')[2/1] where the notation [2/1] indicates 
a substitution of the element indices. 

So far we have just constructed sets to label the transitions of Ai and A2- To complete 
the construction of Ai we need to construct the automata represented by the labels 

^(9 9') appropriate q, q'. Because each of these new automata will be constructed 

from Bi, . . . , B4, Bf, we build them simultaneously, constructing a single (1-store multi- 
)automaton with an initial state gj^ for each Gj^ The automaton is constructed 
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{{a 
{{a 


pushe,Bi)} 










{Bf,B,,B3} 

{-^l'^{gl,o)'-^3} 


{{a 


















{{a 
{{a 


pushyj,Bi)} 
pushyj,G\^^^^^^)} 




^2 












{Bf} 


^2 

V 








{{a 




J 



Table 2: The contents of the sets in Q^. 



through the addition of states and transitions to the disjoint union of . . . , S4, Bf. Cre- 
ating the automaton A2 is analagous and is built through the addition of states and 
transitions to Q^. 

The automaton is given in Figure [5j We do not display this automaton in full since 
the number of alternating transitions entails a diagram too complicated to be illuminating. 
Instead we will give the basic structure of the automaton with many transitions omitted. In 
particular we show a transition derived from {Bf, Bi,B^} (from state g^^i ^^^), a transition 

derived from {(a,pushi;, Bi)} (from state g^^i and a transition derived from {Bf} (from 
state g^^2 gi))- Notably, we have omitted any transitions derived from the push^ command. 
This is simply for convenience since we do not wish to further explicate i?i,i?2)^3 or S4. 
From this automaton we derive G^^i ^yG^^^i ^^yG^^2 „^ and G^^2 ^i) by setting the initial 

state to 5(^<yi^o)'5(V,g^)'f[<;2 o) and ^(^^2 ,^1) respectively. 

The automaton is shown in Figure [6l Again, due to the illegibility of a complete 
diagram, we omit many of the transitions. The new transition from g^^i is derived from 

the set {Bf,B-i,Gj^i ^^}. One of the transitions from g'^^i and the only transition from 
g'^^2 gi) are inherited from their corresponding states in the previous automaton. This inher- 
itance ensures that we do not lose information from the previous iteration. The uppermost 
transition from g'^^i derives from {{a,pushg,Gj^^i Qp}- From this automaton we derive 

<^(gl,o)'G'(ql,g^)'<^(g2,o) ^nd Gf^2^gl). 

We have now constructed the automata Ai and A2. We could then repeat this procedure 
to generate A3 , , . . . , resulting in an infinite sequence of automata that is sound and 
complete with respect to Pre* {C{Aq)) . 
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Figure 5: A selective view of G^. 




Figure 6: A selective view of G^. 

To construct A* such that C{A^) = IJ-^q C{Ai) we observe that since a fixed point 
was reached at A2, the update to each to create G^'^^ will use similar recipes and hence 
become repetitive. This will lead to an infinite chain with an unvarying pattern of edges. 
This chain can be collapsed as shown in Figure [71 
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Figure 7: Collapsing a repetitive chain of new states, 
a 




Figure 8: A selective view of Q*. 

In particular, we are no longer required to add new states to to construct for 
i > 2. Instead, we fix the update instructions G? /\[2/l] for all q,q' and manipulate as 

we manipulated the order-2 structure of to create Ai and A2- We write CJ* to distinguish 
these automata from the automata generated without fixing the state-set. 

Because S and the state-set are finite (and remain unchanged), this procedure will 
reach another fixed point G* when the transition relation is saturated and G^ = G^~^^- The 
automaton has the transition structure that became fixed at A2 labelled with automata 
derived from G* ■ This automaton will be sound and complete with respect to Pre*(£(Ao))- 

An abbreviated diagram of G* is given in Figure [3 We have hidden, for clarity, the 
transition derived from {B^, B^,Gj^^i in Figure[6j Instead, we show the transition intro- 
duced for the set {5f,53,G^^i „)}[2/l] = {Bf,B3,&^^^ during the construction of G*- 
We have also added the self-loop added by {{a,pushs,Gj^^i ^p}[2/l] = {{a,pushir,G^^i ^^)} 
that enabled the introduction of this transition. 
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3.2. Preliminaries. We now discuss the algorithm more formahy. We begin by describ- 
ing the transitions labelled by G*^^^ before discussing the construction of the sequence 
Aq,Ai,... and the automaton A* . 

To aid in the construction of an automaton representing Pre*{Cjnit) we introduce a new 
kind of transition to the 2-store automata. These new transitions are introduced during 
the processing of the APDS commands. They are labelled with place-holders that will 
eventually be converted into 1-store automata. 

Between any state qi and set of states Q2 we add at most one transition. We associate 
this transition with an identifier G(^q^^Q^y To describe our algorithm we will define sequences 
of automata, indexed by i. We superscript the identifier to indicate to which automaton in 
the sequence it belongs. The identifier G'^^^ is associated with a set that acts as a recipe 

for updating the 1-store automaton described by G^(~^q2) creating a new automaton if 
G)~^r^ \ does not exist. Ultimately, the constructed 1-store automaton will label the new 
transition. In the sequel, we will confuse the notion of an identifier and its associated set. 
The intended usage should be clear from the context. 

The sets are in a kind of disjunctive normal form. A set {Si, . . . , Sm} represents an 
automaton that accepts the union of the languages accepted by the automata described by 
^i, . . . , Sm- Each set S € . . . , Sm} corresponds to a possible effect of a command d 
at order-1 of the automaton. The automaton described by 5 = {ai, . . . ,am} accepts the 
intersection of languages described by its elements at {t € {1, . . . -jm}). An element that is 
an automaton B refers directly to the automaton B. Similarly, an identifier G^^^ refers 
to its corresponding automaton. Finally, an element of the form (a,pushyo,0) refers to an 
automaton capturing the effect of applying the inverse of the push^ command to the stacks 
accepted by the automaton represented by 6; moreover, the topi character of the stacks 
accepted by the new automaton will be a. It is a consequence of the construction that for 
any S added during the algorithm, if {a,pushw,0) G S and {a' ,push^i,6') € S then a = a'. 

Formally, to each G*^^^ we attach a subset of 

2B U G'-^ U (S X d X u G'-^)) 

where B is the set of all 1-store automata occurring in Aq and all automata of the form Bf. 
Further, we denote the set of all identifiers G^^ in Ai as G^- The sets B and Oi are finite 

by definition. The size of the set G^ for any i is finitely bound by the (fixed) state-set of A^. 
We build the automata for all G^^^ g^^ € G^ simultaneously. That is, we create a single 

automaton G^ associated with the set G^- This automaton has a state ^ n for each 
^(ai Q2) ^ '^^^ automaton G^^^ g^^ labelling the transition qi — >i Q2 is the automaton 
G^ with oj ^ X as its initial state. 

The automaton G^ is built inductively. We set G^ to be the disjoint union of all automata 
in B. We define ^'+^ = Tg,+i{G') where Tg^{G') is given in Definition [321 In Section [Ml it 
will be seen that j is not always (i -|- 1). 

Definition 3.2. Given an automaton G^ = A*,_, Qj) and a set of identifiers (and 

associated sets) Gi, we define, 

g^+i=T^,(g^) = (Q*+i,S,A'+i,_, Qf) 
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where Q'+^ = U { g^^^ \ G\^^ eG^ }, A'+i = A*"^'^"*'^'^ U A"'^"' U A*, and, 

A— = € and 6 G S and (1) } 

where (1) requires {ai, . . . , a,.} G G'^g^ Q = QiU . . .U Qr and for each t G {1, . . . , r} we 
have, 

• If at = 9, then {q^ Qt) G A*. 

• If at = {a,pushyj, 9), then b = a and is a run of 

There are two key parts to Definition 13.21 During the first stage we add a new initial 
state for each automaton forming a part of Q^'^^. By adding new initial states, rather than 
using the previous set of initial states, we guarantee that no unwanted cycles are introduced, 
which may lead to the erroneous acceptance of certain stores. We ensure that each 1-store 
accepted by is accepted by Q'^'^^ — and the set of accepted stores is increasing — by 
inheriting transitions from the previous set of initial states. 

During the second stage we add transitions between the set of new initial states and 
the state-set of to capture the effect of a backwards application of the APDS commands 
to C{Ai). Intuitively, we only add new transitions to the initial states because all stack 
operations affect the top of the stack, leaving the remainder unchanged. 

There are two different forms for the elements at G {ai, . . . , a^}. If at refers directly to 
an automaton, then we require that the new store is also accepted by the automaton referred 
to by at- We simply inherit the initial transitions of that automaton in a similar manner 
to the first stage of Tgj(G^). If at is of the form {a,pushyj,9), then it corresponds to the 
effects of a command {p, a,{. . . , {pushiu,p'), . . .}). The new store must have the character 
a as its topi character, and the store resulting from the application of the operation pushyj 
must be accepted by the automaton represented by 9. That is, the new state must accept 
all stores of the form aw' when the store ww' is accepted by 9. 

3.3. Constructing the Sequence Ao,Ai, . . .. For a given order-2 APDS with commands 
V we define At+i = Tx>{Ai) where the operation follows. We assume Aq has a state qj 
with no outgoing transitions and a state from which all stores are accepted. 

Definition 3.3. Given an automaton Ai = (Q, S, A*, {q^, . . . , q^}, Qj) and a set of com- 
mands P, we define, 

= Tv{A,) = (Q, S, A^+\ {q\..., q^}, Qf) 

where A*"*"^ is given below. 

We begin by defining the set of labels G^~^^- This set contains labels on transitions 
present in Ai, and labels on transitions derived from V. That is, 

G"+' = I I {q^ Q) G A^ and j G {1, . . . , 4 I U { G|+^q) | (2) } 

The contents of the associated sets G|^g^ G G"^^^ are defined G^^/^^ = { S \ (2) } where 

(2) requires (p^ a, {(oi,p*=i), . . . , (o^,p^-)}) G P, Q = Qi U . . . U Q„, 5 = 5i U . . . U 5„ 
and for each t G {1, . . . , m} we have. 
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• If ot = push2, then St = {Bf} U U 02 and there exists a path q^^ —^i Q' —^i Qt in ^i- 

• If Of = pop2, then St = {Bf} and Qt = {'z'^*}- Or, if —^i {q^j} exists in Ai, we may 
have St = {Bf] and Qt = {«/}• 

• If oj = pushw then St = {{a,pushw, 0)} and there exists a transition q * — >i Qt in Ai. 
Finally, we give the transition relation A*+^. 

We can construct an automaton whose transitions are 1-store automata by replacing each 

set Gl'^]^-, with the automaton Gl'^\s which is Q^~^^ with initial state ql~^l^^, where Q^~^^ = 
(g,Q) (q,Q) ^iq,Q)^ 

Tgi^i{Q'''). Note that C/* is assumed by induction. In the base case, is the disjoint union 
of all automata in B. 

The above construction is similar to Definition 13.21 However, because we do not change 
the initial states of the automaton, we do not have to perform the inheritance step. Fur- 
thermore the set of commands T> specify how the automata should be updated, rather than 
a set . A command {p^ , a, {{oi,p^^), . . . , {om,P^"^)}) takes the place of a set {ai, . . . , am}- 

The contents of St and Qt depend on the operation ot- If ot is of a lower order than 2 
(that is, a push^ command) then otijuj) = Ot{'~f)w for any store 'jw. Hence we inherit the 
first transition from the initial state of the automaton represented 9, but pass the required 
constraint (using St = {{a,ot, B)}) to the lower orders of the automaton. 

Otherwise oj is a pop2 or push2 operation. If is a push2 command, then push2{'~fw') = 
77u;', and hence we use St to ensure that the top store 7 of jw' is accepted by the first 
two transitions from the initial state of the automaton represented by 9 and we use Qt to 
ensure that the tails of the stores match. 

In case ot is a pop2 operation and the new store is simply the old store with an addi- 
tional 2-store on top (that is pop2{'yw') = w'). Thus, Qt is the initial state of the automaton 
represented by 6 and St contains the automaton Bf, which ensures that the topi character 
of the new store is a. We also need to consider the undefined store V. This affects the 
processing of pop2 operations since their result is not always defined. Hence, when consid- 
ering which new stores may be accepted by ^j+i, we check whether the required undefined 
configuration is accepted by Ai. This is witnessed by the presence of a V transition from 
p^ . If the result may be undefined, we accept all stores that do not have an image under 
the pop2 operation. That is, all stores of the form [7]. 

By repeated applications of Tp we construct the sequence Aq,Ai,... which is sound 
and complete with respect to Pre* {Cjnit)- 

Property 3.4. For any configuration (p', 7) it is the case that 7 G C{Af) for some i iff 
(jP,!) ePre*{Cinit). 

Proof. From Property [C^ and Property [C^ □ 



3.4. Constructing the Automaton A^. We need to construct a finite representation 
of the sequence Aq,Ai,... in a finite amount of time. To do this we will construct an 
automaton A^ such that C^A^,) = |J^>Q>C(Aj). We begin by introducing some notation and 

a notion of subset modulo i for the sets G) ^ 

(qi,Q2) 
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Definition 3.5. 

(1) Given € ^ U for some i', let 



if 0eB 



(gi,Q2) wi,<32) 



(2) For a set S we define S[j /i] such that, 

(a) We have 6* € 5 iff we have 9[j/i\ G S[j/i], and 

(b) We have {a,o,6) G S" iff we have {a,o,9[j/i]) € S[j/i]. 

(3) We extend the notation [j/i] to nested sets of sets structures in a point-wise fashion. 



Definition 3.6. 

(1) We write Gl ^ , < G^, ^ , iff for each S e Gl ^ , we have S[j - 1/i - 1] G ^ 

^ ' _ (qi^2) ^ {qi,Q2j _ (qi,Q2) _ _ (qi:Q2) 

(2) If Gl ^ . < G^' ^ , and Gf' ^ , < G* ^ then we write Gj ^ , ~ G^' ^ 

^ ' (qi,Q2) ^ (91,(32) (gi,(32) ~ (gi,(32)' (gi,(32) (91,(32) 



(3) Furthermore, we extend the notation to sets. That is, < Qj iff for all G^^^ G 



we have G-', ^ % G t?/ and G/„ n ^ 5-, G-^ ^ 
(gi,Q2) < (91,(32) ~ (gi,Q2) 



We now show that a fixed point is reached at order-2. That we reach a fixed point is 
important, since, when ~ G^^^ there are two key consequences. Firstly, for all and Q2, 

we have Gl ^ \ G t/* iff we also have Gl'^^^ ■, G Ql^^r^ n. This means that, if we ignore the 

(91,(32) (91,(32) (91,(32) ' ° 

automata labelling the edges of Ai and ^i+i, the two automata have the same transition 
structure. The second consequence follows from the first: we have G^^^ ~ (91^(32) 
all qi and Q2- That is, the automata labelling the edges of Ai and Aj+i will be updated 
in the same manner. It is this repetition that allows us to fix the state-set at order-1, and 
thus reach a final fixed point. 

Property 3.7. There exists ii > such that ~ G'^^ for all i > ii- 

Proof. (Sketch) Since the order-1 state-set in Ai remains constant and we add at most 

one transition between any state qi and set of states Q2, there is some ii where no more 

transitions are added at order-2. That G^ ~ for all i > ii follows since the contents of 

G/„ o ^ and G*/ ^ ^ are derived from the same transition structure. □ 
(91,(32) (91,(32) 

Once a fixed point has been reached at order-2, we can fix the state-set at order-1. 

Lemma 3.8. Suppose we have constructed, as above, a sequence of automata Q^,Q^,... 
with the associated sets Q^,Q^,.... Further, suppose there exists an ii such that for all 
i > ii we have ~ Q^^ . We can define a sequence of automata , . . . such that the 

state-set in remains constant and there exists io such that characterises the sequence 
— that is, the following are equivalent for all w, 

(1) The run 9^^qQ:-j —^i Qi with Qi C exists in for some i. 

(2) The run Q^^qQi^ ~^io Q2 with Q2 ^ Qf exists in . 

(3) The run —^i' Q3 with C Qj exists in for some i' . 

Proof. Follows from the definition of Q^~^^ = Tgi^^.^^.^_-^^^{Q\), Lemma ID. 21 Lemma lD.31 and 
Lemma ID. 41 □ 
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We use g'+^ = Tg,^j.^^.^_-^](g') to construct the sequence C'^G'^-^^, . . . with G'^ = 

Intuitively, since the transitions from the states introduced to define for i > ii are derived 
from similar sets, we can compress the subsequent repetition into a single set of new states. 
The substitution — 1] makes the sets in self-referential. This generates the 

loops shown in Figure [71 Since the state-set of this new sequence does not change and the 
alphabet E is finite, the transition structure will become saturated. 

We define G* = G^° letting g"^^^ = (7^^^ for each 5^^^ Finally, we show that we 
can construct the automaton A*. 

Property 3.9. There exists an automaton A^, which is sound and complete with respect to 
Aq,Ai,... and hence computes the set Pre*{Cinit)- 

Proof. By Property 13.71 there is some ii with G^ — G^^ for all i > ii 
have G* = G^° ■ We then define A^ from Ai^ with each transition q — 
with the automaton G*^^q,-j from G* = 

Thus, we have the following algorithm for constructing A*: 

(1) Given Aq, iterate ^j+i = Tx>{Ai) until the fixed point Ai-^ is reached. 

(2) Iterate G^~^^ = T-i-.,. ,. ,,(^') to generate the fixed point G* from G^^- 

(3) Construct A^ by labelling the transitions of A^ with automata derived from G* ■ 



. By Lemma 13.81 we 
— >^ Q' in A^ labelled 
□ 



3.5. The General Case and Complexity. We may generalise our algorithm to order-n 
for all n by extending Definition 13.21 to n-store automata using similar techniques to those 
used in Definition 13. 31 Termination is reached through a cascading of fixed points. As we 
fixed the state-set at order-1 in the order-2 case, we may fix the state-set at order-(n — 1) in 
the order-n case. We may then generalise Property 13.71 and Lemma 13.81 to find a sequence 
of fixed points in, ... , io, from which A^ can be constructed. For a complete description of 
this procedure, we refer the reader to Hague's forthcoming Ph.D. thesis [16j . 

We claim our algorithm runs in n-EXPTIME. Intuitively, when the state-set Q is fixed 
at order-1 of the store automaton, we add at most 0(21^1) transitions (since we never remove 
states, it is this final stage that dominates the complexity). At orders / > 1 we add at most 
new transitions, which exponentially increases the state-set at order-(/ — 1). Hence, 
the algorithm runs in rz-EXPTIME. This algorithm is optimal since reachability games over 
higher-order PDSs are n-EXPTIME-complete [26]. An alternative proof of n-EXPTIME- 
hardness — by reduction from the non-emptiness of order- (n + 1) PDA — is due to appear 
in Hague's Ph.D. thesis [16j. It was shown by Engelfriet that the non-emptiness problem 
for order- (n + 1) PDSs is n-EXPTIME-complete [10]. 

When the higher-order PDS is nondeterministic (rather than alternating), we add at 
most |Qp transitions at order-n. Hence, the complexity is (n — 1)-EXPTIME, matching 
the lower-bound of the non-emptiness problem for higher-order PDA (as acceptors of word 
languages) . 
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4. Applications 

In this section we discuss some of the apphcations of our algorithm to decision problems 
over higher-order PDSs. 

4.1. Model-Checking Linear-Time Temporal Logics. Bouajjani et al. use their back- 
wards reachability algorithm to provide a model-checking algorithm for linear-time temporal 
logics over the configuration graphs of pushdown systems [2]. In this section we show that 
this work permits a simple generalisation to higher-order PDSs. 

Let Prop be a finite set of atomic propositions and (V, T), S) be a higher-order PDS with 
a labelling function A : "P — > 2^*"°^ which assigns to each control state a set of propositions 
deemed to be true at that state. Given formula (f) of an a;-regular logic such as LTL or /iTL, 
we calculate the set of configurations C of (V, D, T,) such that every run from each c G C 
satisfies (p. 

It is well known that any formula of an w-regular logic has a Biichi automaton repre- 
sentation \31\ ITSl [30] etc.. We form the product of the higher-order PDS and the Biichi 
automaton corresponding to the negation of <j). This gives us a higher-order Biichi PDS; 
that is, a higher-order PDS with a set of accepting control states. Thus, model-checking 
reduces to the non-emptiness problem for higher-order Biichi PDSs. Specifically, we com- 
pute the set of configurations from which there is an infinite run visiting configurations with 
control states in T infinitely often. Note that C is the complement of this set. 

This problem can be reduced further to a number of applications of the reachability 
problem. We present a generalisation of the reduction of Bouajjani et al. Let [^a]^ denote 
the order-1 stack consisting of a single character a and ['a]' for I > 1 denote the stack 
consisting of a single order-(/ — 1) stack [^^^^^ a]^^~^\ 

Proposition 4.1. Let c be a configuration of an order-n Biichi PDS BP. It is the case 
that BP has an accepting run from c iff there exist distinct configurations {p' , ["a]") and 
(p^, 72) with ^0^1(72) = a and a configuration (p-^,7i) such that p^ G and, 

(1) c ^ {p^ ,^3) for some 73 with ^0^1(73) = a, and 

(2) {p>,[-ar)^{pf,-fi)^{p^,j2) 

Proof. See Appendix [El □ 

We reformulate these conditions as follows, where is the set of all order-n stacks 
over the alphabet S. We remind the reader that B^ is the n-store automaton accepting all 
n-stores 7 such that ^0^1(7) = a. 

(1) cGPre*{{pJ}xCiB-)), 

(2) {p}, ["a]") G Pre*{{F x C^) n Pre+{{pi} x C{B^))) 

We can compute the set of pairs (p', ["a]") satisfying ([2]) in re-EXPTIME by calculating 
Pre*({p^} X C{B^)) over the following higher-order PDS: 

Definition 4.2. Given an order-n Biichi PDS BP = {V, V, S, T) we define BP' = {V x 
{0,1},V',^) where, 

v'= { i{p,o),b,o,ip',o)) \peVnT a {p,b,o,p') } u 

{ {{p,0),b,o,{p',l)) \p£T A {p,b,o,p')eV}U 
{ {{p,l),b,o,{p',l)) I {p,b,o,p')GV} 
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Lemma 4.3. There exists a run ((p, 0), ["a]") {{p,l),w') with w' € C{B'^) in BP' iff 
{p, ["a]") satisfies (g). 

Proof. See Appendix[Kl Since BP' is twice as large as BP, Pre*{{p>} x C{B^)) for BP' 
can be calculated in n-EXPTIME. This gives the set of configurations satisfying ([2]). □ 

To construct an n-store automaton accepting all configurations from which there is an 
accepting run, we calculate the configurations (p^, [""a]") satisfying the second condition. 
Since there are only finitely many p> and a G S we can perform a simple enumeration. 
We then construct an n-store automaton A corresponding to the n-store automata accepting 
configurations satisfying ([2]) and compute Pre*[C[A)). 

Theorem 4.4. Given an order-n Biichi PDS BP = {V,T>,Y^,J-), we can calculate in n- 
EXPTIME the set of configurations C such that from all c ^ C there is an accepting run of 
BP. 

Proof. Let expQ{x) = x and expn{x) = 2'^^P"-i(^). We appeal to Lemma for each p^ and a 
(of which there are polynomially many) to construct an n-store automaton 0{expn{2 x {VD) 
in size which accepts (p^, ["a]") iff it satisfies ([2]). Membership can be checked in polynomial 
time (Proposition IB. 3]) . 

It is straightforward to construct an automaton A polynomial in size which accepts 
{p,w) iff {p, ["topi(ii;)]") satisfies ([2]). We can construct Pre*{C{A)) in n-EXPTIME. Thus, 
the algorithm requires n-EXPTIME. □ 

Corollary 4.5. Given an order-n PDS {V, V, S) with a labelling function A : P — > 2^*"°^ 
and a formula (p of an uj-regular logic, we can calculate in (n -|- 2)-EXPTIME the set of 
configurations C of ("P, V, E) such that every run from each c € C satisfies <j). 

Proof. The construction of BP is exponential in size. Hence, we construct the n-store multi- 
automaton A that accepts the set of configurations from which there is a run satisfying the 
negation of (j) as described above in time 0{expn{2^'^^)). To calculate C we complement A 
as described in Appendix IB. 3[ This may include an exponential blow-up in the transition 
relation of A, hence we have (n + 2)-EXPTIME. □ 

Observe that since we can test c € C by checking c ^ C{A) where A is defined as above, 
we may avoid the complementation step, giving us an (n -|- 1)-EXPTIME algorithm. 

4.2. Reachability Games. Our algorithm may be used to compute the winning region 
for a player in a two-player reachability game over higher-order PDSs. This generalises a 
result due to Cachat [25j. We call our players Eloise and Abelard. 

Definition 4.6. Given an order-n PDS {V, T>, S), an order-n Pushdown Reachability Game 
(PRG) (V, V, S, TZ) over the order-n PDS is given by a partition V = Va W 'Pe and a set TZ 
of configurations considered winning for Eloise. 

We write (p, 7) € C^; iff p G Ve and (p, 7) E iff p € Va- From a configuration (p, 7) 
play proceeds as follows: 

• If {p, 7) € Ca, Abelard chooses a move (p, a, o,p') € T> with ^0^1(7) = a and 0(7) defined. 
Play moves to the configuration (^',0(7)). 

• If (p, 7) € Ce, Eloise chooses a move {p,a,o,p') € V with topi^j) = a and 0(7) defined. 
Play moves to the configuration (^',0(7)). 
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Eloise wins the game iff play reaches a configuration (p, 7) where (p, 7) G 7^ or p € Va and 
Abelard is unable to choose a move. Abelard wins otherwise. 

The winning region for a given player is the set of all configurations from which that 
player can force a win. The winning region for Eloise can be characterised using an attractor 
AttrEiTZ) defined as follows, 

Attr%{n) = n 

Attrf\n) = Attr^in) U { c G | 3c'.c c' A c' G Attr%{n) } 
U { c G Ca I Vc'.c --^ c' ^ c' G Attr'^iTV) } 

AttTEin) = u»>o^«4(^) 

Conversely, the winning region for Abelard is AttrEiTZ). Intuitively, from a position in 
Attr^^iJZ), Eloise's winning strategy is to simply choose a move such that the next config- 
uration is in Attr^^^{TZ). Abelard's strategy is to avoid Eloise's winning region. 

We can use backwards-reachability for order-n APDSs to calculate AttrE(TZ), and hence 
the winning regions of both Abelard and Eloise. To simplify the reduction, we make a 
totality assumption. That is, we assume a bottom-of-the-stack symbol _L that is never 
popped nor pushed, and for all a G S U {_L} and control states p £ V, there exists a 
command {p,a,o,p') G V. This can be ensured by adding sink states pf^^^ and pj^^g from 
which Eloise and Abelard lose the game. In particular, for every p £ V and a G S U {_L} 
we have {p,a,pusha,pf^g^) where x = E if p £ Ve 01 x = A otherwise. Furthermore, the 
only commands available from pf^^g are of the form [pf^^^, a,pusha,pfggf,) for x G {A,E}. 
To ensure that p^^^ is losing for Abelard, we set {p^g^,"y) G TZ for all 7. Conversely, 
(pfose'7)^7eforall7. 

Definition 4.7. Given an order-n PRC {V, V, S, 11) we define an order-n APDS {V, V, S) 
where, 

V = {{p,a,{{o,p')})\{p,a,o,p')£V^p£PE} 

U { {p,a,{ {o,p') I {p,a,o,p') £V}) \ p £ Va } 
Furthermore, let Rstuck be the set of configurations (p, V) such that p £ Va- The set TZ stuck 
is regular and represents the configurations reached if Abelard performs an move with an 
undefined next stack. 

Let be the set of order-n configurations with an undefined stack and a control state 
belonging to Abelard. 

Theorem 4.8. Given an order-n PRG, where TZ is a regular set of configurations, and an 
order-n APDS as defined above, AttrE{TZ) is regular and equivalent to Pre* {7ZU7Zstuck)\C\- 
Hence, computing the winning regions in the order-n PRG is n-EXPTIME. 

4.3. Model-Checking Branching-Time Temporal Logics. Generalising a further re- 
sult of Bouajjani et al. [2j, we show that backwards-reachability for higher-order APDSs 
may be used to perform model-checking for the alternation-free (propositional) ^u-calculus 
over higher-order PDSs. Common logics such as CTL are sub-logics of the alternation-free 
/x-calculus. 
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4.3.1. Preliminaries. Given a set of atomic propositions Prop and a finite set of variables 
X, the propositional ^-calculus is defined by the fohowing grammar, 

(/) := vr € Prop \ X £ x \ | 01 U 02 | 0(p \ ^iX.cj) 

with the condition that, for a formula ^X.cf), X must occur under an even-number of nega- 
tions. This ensures that the logic is monotonic. As well as the usual abbreviations for =^> 
and A, we may also use, = -i o -k^, i/X.(j){X) = -^^X.^(f){-^X) and a for either /i or v. 
A (T-formula is of the form aX.cf). 

A variable X is bound in (f) if it occurs as part of a sub-formula aX.(f)'[X). We call an 
unbound variable free and write (l){X) to indicate that X is free in 0. A closed formula has 
no variables occurring free, otherwise the formula is open. 

Formulae in positive normal form are defined by the following syntax, 

:= vr E Prop \ -ivr | X G x [ 0i U 02 [ 0i H 02 [ o I 1^0 I f^X.(f) \ vX.cf) 

We can translate any formula into positive normal form by "pushing in" the negations using 
the abbreviations defined above. 

A cj-sub- formula of aX.(j){X) is proper iff it does not contain any occurrence of X. We 
are now ready to define the alternation-free //-calculus: 

Definition 4.9. The alternation-free /i-calculus is the set of formulae in positive normal 
form such that for every u-sub-formula -0 of we have, 

• If -0 is /i-formula, then all z/-sub-formulae of are proper, and 

• If -0 is a z^-formula, then all //-sub-formulae of ip are proper. 

The closure cl{<j)) of a formula is the smallest set such that, 

• If -01 A -02 £ c/(0) or -0 V V' £ c/(0), then ipi G c/(0) and 0^2 £ c/(0), and 

• If oip G cl{4>) or Oijj G c^(0), then il) G c/(0), and 

• \iaX.^{X) G d(0), then i^{aX.^{X)) G d(0). 

The closure of any formula is a finite set whose size is bounded by the length of the formula. 

Finally, we give the semantics of the /i-calculus over higher-order PDSs. Given a formula 
0, an order-Ti PDS (PjP, S), a labelling function A : V ^ 2^'"°^, and a valuation function 
V assigning a set of configurations to each variable X G X) the set of configurations [[0]]v 
satisfying is defined, 

Wv = A-i(^)xC^ 
iXjv = V{X) 
Mlv = (7'xC^)\|01v 
l0'iVV^2lv = l0ilvUMv 
Mv = PreiMv) 
I/xXVlv = n{CQVxC^\ Mvix^c] ^ C } 

where V[X i— > C] is the valuation mapping all variables y ^ X to V{Y) and X to C. 

4.3.2. Model- Checking the Alternation-Free ^-Calculus. Given an order-n PDS {'P,'D,Ti) 
with a labelling function A : P — > 2^"^°^, a formula of the alternation-free /i-calculus, and 
a valuation V we show that we can generalise the construction of Bouajjani et al. to produce 
an n-store multi-automata accepting the set [[0]v- 

Initially, we only consider formulae whose u-sub-formulae are /i-formulae. We construct 
a product of the higher-order PDS and the usual "game" interpretation of |23l |24j as 
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follows: observing that commands of the form a,pusha, -) do not alter the contents of 
the stack, we construct the order-n PRG A = pj, S, 7^) where '"^^ and 

are the smallest sets such that for every (^j, V') € "P x d(0) and a G S, 

• If -0 = ■01 V ip2, then we have (pjip) € P^^^'^^ and {{p,tp), a,pusha, (pjipi)) € and 
{{P,ip),a,pusha,{p,'tp2)) ^T^f,, 

• If '0 = ■01 A 02, then we have (p, ■0) £ p^''^'^ and {{p,'tp),a,pusha,{p,ipi)) £ and 
{{p,i)),a,pusha,{p,ip2)) ^T^p, 

• If V = /iXV^'(X), then G T^r'"^^ and ((p, V), a,pus/i„, (p, V' W)) G I^^, 

• If = oijj' and (p, a, o,y) S P, then (p, ■0) G p^^''^^ and ((p, -0), a, o, (p', "0')) ^ ^-pi 

• If -0 = l^V''; then (p, "0) £ T?^'*^) and for every {p,a,o,p') € 2? it is the case that 
{{p,i;),a,o,{p',^'))eV^. 

Finally, we define the set of configurations TZ that indicate that the formula is satisfied 
by (Vj'D, S), A and V. The set TZ contains all configurations of the form, 

• ((p, vr),7) where vr E A(p), 

• {{P:^'^)j1) where tt ^ A(p), 

• {{p,X),^), where X is free in and (p, G V(X). 

If V(X) is regular for all X free in 0, then 7^ is also regular. 

Commands of the form {_,a,pusha,-) are designed to deconstruct sub- formulae into 
literals that can be evaluated immediately. These commands require that the top order- 
one stack is not empty — otherwise play would be unable to proceed. Correctness of the 
construction requires the top order-one stack to contain at least one stack symbol. This 
condition may be ensured with a special "bottom of the stack" symbol _LG S. This symbol 
marks the bottom of all order-one stacks and is never pushed or popped, except in the 
case of a command (_, _L,pMs/i^, _). The use of such a symbol is common throughout the 
literature [HI Eg [25] etc.. 

Proposition 4.10. Given the order-n PRG A = {V^'^''^\'D^,T,,TV) constructed from the 
order-n PDS {V,'D,T,), a labelling function A, a valuation V, and a formula of the 
alternation-free ^-calculus such that all a -sub- formulae of are ^-sub-formulae, we have 
(P,7) G Mv ^ff{ip,<P),l) G AttrEiTZ). 

Proof. (Sketch) The result follows from the fundamental theorem of the propositional fi- 
calculus [23l[Il|- If {{'Pi4')il) G AttrEiJZ), then there is a winning strategy for Eloise in 
A. In the absence of z^-sub-formulae, this winning strategy defines a well-founded choice 
function and hence a well-founded pre-model for (PjP, E), A, V and with initial state 
(p, 7). Thus, by the fundamental theorem, (p, 7) satisfies 0. 

In the opposite direction, if (p, 7) satisfies 0, then — by the fundamental theorem — 
there is a well-founded pre-model with choice function /. Since there are no vX.ip sub- 
formula in 0, all paths in the pre-model are finite and all leaves are of a form accepted by 
TZ. Hence, a winning strategy for Eloise is defined by / and we have ((p, 0), 7) G AttrE{TZ). 

□ 

In the dual case — when all cr-sub-formulae of are i/-sub-formulae — we observe 
that the negation of has only //-sub-formulae. We construct AttrE{TZ) for and 
complement the resulting n-store multi-automaton (see Appendix IB.Sh to construct the 
set of configurations satisfying 0. 
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We are now ready to give a recursive algorithm for model-checking with the alternation- 
free /^-calculus. We write <1> = to denote a set of sub-formulae such that no (pi is a 
sub-formula of another. Furthermore, we write (/>[[//$] where U = {C/j}^^ is a set of fresh 
variables to denote the simultaneous substitution in (p of (pi with Ui for all i G {1, . . . ,m}. 
The following proposition is taken directly from [2]: 

Proposition 4.11. Let (p he a ^-formula (u-formula) of the alternation-free fi-calculus, and 
let <1> = {(pi}i'^i be the family of maximal v -sub-formulae (^- sub- formulae) of (p with respect 
to the sub-formula relation. Then, 

where U = {Ui}^^^ is a suitable family of fresh variables, and V' is the valuation which 
extends V by assigning to each Ui the set v- CH 

Since, given a ^u-formula (i/-formula) (p, the formula (p[U/^] has only //-sub-formulae 
(i^-sub-formulae) we can calculate [[(/>i]v for all (pi G ^, using the above propositions to 
calculate an automaton recognising |0]]v- 

Theorem 4.12. Given an order-n PDS {V,T>,Ti), a labelling function K, a valuation func- 
tion V and a formula (p of the alternation-free fi-calculus, we can construct an n-store 
multi- automaton A such that C{A) = \(p1v- D 

4.3.3. Complexity. Let expQ{x) = x and expn{x) = 2'^^P"-i(^). A formula (p can be described 
as a tree structure with (p at the root. Each node in the tree is a //-sub-formula or a i/-sub- 
formula ip of (p. The children of the node are all maximal z^-sub-formulae or //-sub-formulae 
of ^p respectively. There are at most nodes in the tree, where is the length of (p. 
Let n-ji be the number of states in the n-store automaton recognising TZ. The size of this 
automata is linear in the size of the automata specifying V for each variable X. 

The n-store multi-automaton recognising [^Jy for a leaf node ip has 0{expn{n'pi)) states. 
Together with a possible complementation step (which does not increase the state-set) we 
require 0{expn+i{n-p ■ n^)) time and B may be of size 0{expn+i{nv)) ■ 

Similarly, the n-store multi-automaton recognising [V'lv' foi' internal node ip with 
children (pi,...,(pm has 0(exp„(S™ -^n^ + n-ji) x 2^*) states, where Ui is the size of the 
automaton recognising [[(/)Jvi for i G {1, • • • , m} and hi is the size of B for that automaton. 
Due to the final complementation step, \B\ may be of size C'(exp„+i(S™ -^n^ -|- n?^)), which 
is also the total time required. 

Subsequently, the automaton A recognising [[(/>]v' has 0{expn^-n{n'j{)) states and can 
be constructed in 0{exp(^n^ n)+i{'n7i)) time. Since we may test c G C for any configuration 
c and set of configurations C by checking c ^ C, we may avoid the final complementation 
step to give us an 0{expn^-n{n"ii)) time algorithm. 

5. Conclusion 

Given an automaton representation of a regular set of higher-order APDS configurations 
Cinit, we have shown that the set Pre*{Cinit) is regular and computable via automata- 
theoretic methods. This builds upon previous work on pushdown systems [2] and higher- 
order context-free processes [T]. The main innovation of this generalisation is the careful 
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management of a complex automaton construction. This allows us to identify a sequence 
of cascading fixed points, resulting in a terminating algorithm. 

Our result has many applications. We have shown that it can be used to provide a 
solution to the model-checking problem for linear-time temporal logics and the alternation- 
free /i-calculus. In particular we compute the set of configurations of a higher-order PDS 
satisfying a given constraint. We also show that the winning regions can be computed for 
a reachability game played over an higher-order PDS. 

There are several possible extensions to this work. We plan to investigate the applica- 
tions of this work to higher-order pushdown games with more general winning conditions. 
In his Ph.D. thesis, Cachat adapts the reachability algorithm of Bouajjani et al. [2] to cal- 
culate the winning regions in Biichi games over pushdown processes [25j. It is likely that 
our work will permit similar extensions. We also intend to generalise this work to higher- 
order collapsible pushdown automata, which can be used to study higher-order recursion 
schemes j291ll7j. This may provide the first steps into the study of the global model-checking 
problem over these structures. Finally, an alternative definition of higher-order pushdown 
systems defines the higher-order pop operation as the inverse of the push operation. That 
is, a stack may only be popped if it matches the stack below. The results of Carayol [1] 
show that the set Pre* {Cinit) over these structures is regular, using Carayol's notion of 
regularity. However, the complexity of computing this set is unknown. We may attempt to 
adapt our algorithm to this setting, proving the required complexity bounds. 
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Appendix A. Notions of Regularity 

We show that our notion of a regular set of n-stores coincides with the definition of 
Bouajjani and IVIeyer Bouajjani and IVIeyer show that a set of n-stores is regular iff it 
is accepted by a level n nested store automata. 

Because we are considering n-stores rather than configurations, we assume that there 
is only one control state, and hence, an n-store multi-automaton has only a single initial 
state. We also disregard the undefined store V, since it is not strictly a store. Observe that 
we are left with n-store automata. 
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In the absence of alternation, the set of n-store automata is definitionally equivalent to 
the set of level n nested store automata in the sense of Bouajjani and Meyer. Hence, it is 
the case that every level n nested store automaton is also an n-store automaton. 

We need to prove that every n-store automaton has an equivalent level n nested store 
automata. We present the following definition: 

Definition A.l. Given an n-store automaton A = (Q, S, A, go, Q/) we define a level n 
nested store automaton A = (2^, S, A, {go}, ), where, if n = 1, 

A = { ({gi, . . . , Qm}, a, Q') | Vi E {1, . . . , m). (3(gi, a, Qi) G A) A Q' = Qi U . . . U } 
and if n > 1, 

A-Jan . A I Vi G {l,...,m}.(3(g„Si,Q,) G A)A 1 

A-| ({gi,...,g^},i?,g) I Q/ = Q^u...uQ™Ai? = i?in...ni?™ / 
where B is defined recursively and the construction of i?i n • • • PI Bm is given in section IB. 31 

Property A. 2. For any w, the run {gi, . . . ,gm} Q' exists in the n-store automaton A 
iff the run {gi, . . . , g^} Q' exists in A. 

Proof. The proof is by induction over n and then by a further induction over the length of 
w. 

Suppose n = 1. When w = e the proof is immediate. When w = aw' we have in one 
direction, 

{gi,...,gm} -^Qi^Q' 

w' 

in A, and by induction over the length of the run, Qi — > Q' in A. By definition of the 
runs of A we have qi Q\ for each i G {1, . . . , m} with Qi = Q\vj . . .VJ Q™. Hence, by 
definition of A we have the transition {gi, . . . , gm} — > Qi U . . . U Q]" = Qi- Hence we have 
the run {gi, . . . , g^} Q' in A as required. 

In the other direction we have a run of the form 

{gi,. . ■ ,qm} Qi ^ Q' 

w' 

in A, and by induction over the length of the run, Qi — > Q' in A. By definition of 
the transition relation of A we have qi — ^ Q\ in A for each i G {1, . . . ,m} with Qi = 
Qj^ U . . . U Q'^. Hence, we have the transition {gi, . . . , g^} — ^ Q\\J . . .VJ Q'^ = Qi in A. 
Thus, we have the run {gi, . . . , g^} Q' in A as required. 

When n > 1, when w = e the proof is immediate. When w = jw' we have in one 
direction, 

{gi, ■ ■ ■ ,qni} ^ Qi ^ Q' 

w' 

in A, and by induction over the length of the run, Qi — > Q' in A. By definition of the runs 

of A we have qi — ^- Q\ with 7 G C{Bi) for each i G {1, . . . , m} with Qi = Q\u . . .U Q™. 
Consequently, we have 7 G C{B) where i? = i?i fl . . . n Bm- By induction over n we have 
7 G C{B). Hence, by definition of A we have the transition {gi, . . . ,gm} QiU. . .UQ™ = 
Qi. Hence we have the run {gi, . . . , g^} Q! in A as required. 
In the other direction we have a run of the form 

{gi,...,gm} ^Q\^Q' 
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in A. In particular, wc liavc {qi, . . . ,qm} — ^ Qi in A with 7 € C{B). By induction over 
the length of the run, Qi Q' in A. By definition of the transition relation of A we 

have qi Qi for each i G {1, . . . , m} with S = 5i n . . . n and Qi = U . . . U Q™. 
By induction over n we have 7 G jC(B) and hence 7 G C{Bi) for all z G {!,..., m}. 
Therefore, we have qi — ^ Qi in A for all i G {!,••• Thus, we have the transition 

{q'l, . . . , g^} U . . . U Q]" = Qi in A and the run {gi, . . . , g^} Q' as required. □ 

Corollary A. 3. A set of n-stores is definable by an n-store automaton iff it is definable by 
a level n nested store automaton. □ 



Appendix B. Algorithms over w-Store (Multi-)Automata 

In this section we describe several algorithms over n-store automata and n-store multi- 
automata. Observe that an n-store automaton is a special case of an n-store multi- 
automaton. 

B.l. Enumerating Runs. 

Proposition B.l. Given a l-store (multi-) automaton A = (Q, S, A, _, Qf), a set of states 

Q and word w, the set of all Q' reachable via a run Q Q' can be calculated in time 
0(2l21). 

Proof. We define the following procedure, which given a set of sets of states Qi computes 
the set of sets Q' with Q e Qi and Q — > Q'. 
ExPAND(a, Qi) 

let Qnext = 

for each {gi,...,gm} G Qi 

let ok = (3(gfi,a, _) G A) 
let Q = A(gi,a) 
for i = 2 to m 

ok = ok A {3{qi, a, _) G A) 

Q = {Q'UQ" \Q' eQA {qi, a, Q") G A } 

if ok then Qnext = Qnext U Q 
return Qnext 

The outer loop repeats 0(2'2I) times and the inner loop Since the number of G Q 

is 0(2l^l) and the number of {qi,a,Q") G A is also 0(2l®l), construction of Q takes time 
0(2l2l). Hence the procedure takes time 0(2'2I x 1Q| x 2l2l), that is 0(2l2l). 

Expand is correct since Q G Qnext at the end of the procedure iff' we have {qi, . . . , qm} & 
Qi and some {qi, a, Q^ext) ^ ^ for each i G {1, . . . , m} with Q^ext = Qiext U . . . U Q'^ext- 
Over a word w = ai . . . we define the following procedure. 
Expand WoRD(ai . . . a^, Q) 
let Qi = {Q} 
for i = ltom 

Qi = ExPAND(ai,Qi) 
return Qi 
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This procedure requires m runs of Expand and consequently runs in time 0(2l^l). 

We prove the correctness of ExpandWord by induction over the length of the word. 
When w = ai correctness follows from the correctness of EXPAND. In the inductive case 
w = ai . . . a„i. We have all runs of the form Q — ^ Qi as before, and all runs over 02 . . . Om 
from all Qi by induction. We have all runs of the form Q Q' therefrom. □ 

Proposition B.2. Given an l-store (multi-) automaton A = (Q, S, A, _, Qj) with I > 1, and 

a set of states Q, the set of all Q' reachable via a run can he calculated 

in iimeO(2l^l+ISI). 

Proof. We define the following procedure, which given a set of states Qi computes the set 

of sets Q' and set of (/ — l)-store automata B with Q G Qi and Q — > Q'. 
Expand((5i) 

let Qnext = 

for each {gi, . . . , Qm} G Qi 

for each set {{qi,Bi,Ql^^f),. .. ,{qm,Bm, Qnext)} ^ 
A 

Qnext — Qnext U 

{{{Bi,. . . , Bm], Qiext U . . . U QZixt)} 

return Qnext 

The outer loop repeats at most 0(21^') times. At most 0(2'^') sets need to be enumerated 
during the inner loop. Hence, Expand runs in time 0(2l^l+l®l). The correctness of Expand 
is immediate. 

To complete the algorithm, we define the following procedure, 

EXPANDETlMES(e, Q) 

let Qi = Expand ({Q}) 
for h = 1 to e 

for each . . . , Bp, Q') G Qi 

Qi = Qi U . . . ,BO}xExPAND({Q'})) 

return Qi n {{Bif x 2^) 

This procedure requires 0(e x (e x 2'^') x 2'®') iterations of the loop. Each iteration requires 
time 0(2l'^l'''l^l) and consequently the procedure runs in time C)(2l^l"^l®l). 

By the correctness of Expand we have (S, Q') G Qi iff we have the path Q — > Q' in 

A. After execution of the loop we have, by correctness of Expand, (Bi, . . . , Sg, Q') G Q\ 

Bi B 

iff we have the following path in A: Q — > . . . — ^ Q'. □ 

B. 2. Membership. 

Proposition B.3. Given an n-store (multi-) automaton A = (Q, S, A,^ Qf) and an n-store 
w we can determine whether there is an accepting run over w in A from a given state q E Q 
in time 0(|w||A||Q|). 

Proof. When w = V we can check membership immediately. Otherwise the algorithm is 
recursive. In the base case, when n = 1 and w = ai...ara, we present the following 
well-known algorithm. 
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let Q=Qf 

for i = m downto 1 

Q = {q' \ iq',ai,Q') eAAQ' CQ} 
return {q G Q) 

This algorithm requires time C(m| A| | Q|) . We prove that this algorithm is correct at order- 1 
by induction over m. When m = 1, we have q E Q at the end of the algorithm iff there 
exists a transition (g, ai, Q') G A where Q' C Qj. When w = 010,2 . . . a„i we have g G Q at 
the end of the algorithm iff there exists a transition (q, ai, Q') where, by induction if q' G Q' 
then the word 02 . . . is accepted from q'. Hence, we have g G Q iff there is an accepting 
run over w from q. 

When n > 1 we generalise the algorithm given above. Let w = . . . 7^, 

let Q = Qf 

for i = m downto 1 

Q = {q' \ iq',B,Q')eAAjeC{B)AQ'CQ} 
return {q G Q) 

The outer loop of the program repeats m times, there are ]A| transitions to be checked. By 
considering all labelling automata as a single automaton with an initial state for each (as 
in the backwards reachability construction), we make a single recursive call (for each 7 in 
w), obtaining all states accepting 7. Checking 7 G JC.{B) then requires checking whether the 
appropriate initial state is in the result of the recursive call. We have |it;| = |7i| + • • • + |7m|) 

hence the algorithm requires 0(|7i||Ai||Q|H |-|7m||^i||Q|) = C'(|u;||Ai||Q|) time for the 

pre-computation, then 0(m|A2||Q|) time for the body of the algorithm, where A = A1UA2 
is the partition of A into the order-n and lower-order parts. Hence, we require 0(|u'||A||Q|) 
time. 

We prove that this algorithm is correct at order n > 1 by induction over m. When 
m = 1, we have q G Q at the end of the algorithm iff there exists a transition (q, B, Q') G A 
with 7 G J~-{B) and Q' C Qj. When w = 7172 • • • 7m we have q £ Q at the end of 
the algorithm iff there exists a transition {q, B, Q') where 7 G C{B) and, by induction, if 
q' G Q' then the word 02 ... is accepted from q' . Hence, we have g G Q iff there is an 
accepting run over w from q. □ 

B.3. Boolean Operations. We can form the intersection, union and complement of n- 
store automata. Intersection and union are straightforward. We omit the details. To 
complement n-store multi-automata, we begin by defining an operation on sets of sets. 

Definition B.4. Given a set of sets {Qi, . . . , Qm} we define, 

invert{{Qi, Qm}) = { {qi, qm} |gie<5iAl<z<m} 

Definition B.5. Given an n-store multi-automaton A = (Q, S, A, {g^, . . . , g^}, Q/), we 
define A as follows. 

• When n = 1 we assume A is total (this is a standard assumption that can easily be 
satisfied by adding a sink state). We define A = (Q, S, A', {g^, . . . , g^}, Q \ Qj) where A' 
is the smallest set such that for each g G Q and a G S we have, 

(1) The transitions from g in A over a are (g, a, Qi), . . . , (g, a, Qm), and 

(2) Qa = invert (Ui6{i,...,m}{Q0) > and 

(3) A'(g,a) = Q„. 
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Since Qa may be exponential in size, the construction runs in exponential time when 
n= 1. 

• When n > 1 we define A = (Q U {g^, S, A', {q^ , . . . , g^}, (Q U {q*j, g^}) \ Q/) where 
Qfifff ^ Q) a-ll n-stores are accepted from g| and has no outgoing transitions. 
Furthermore A' is the smallest set such that for each g G Q we have, 

(1) The non-V transitions from g in A are (g, B\, Qi), ... ,{q, B^, Qm) (we assume m > 
1), and 

(2) For ah B G 2{^i'-'-^"»> we have, 

Q~ = [ ^'^^-^ '^^"^ 
^ I invert {[^^.^^{Qi}^ otherwise 

Note we have Bi recursively; and 

(3) A'(g,B5) = Q5, and 

(4) For all j G {1, . . . , z} we have {q^ , V, {^j}) £ A' iff there is no V-transition from q^ in 
A. 

Overall, when n > 1 there may be an exponential blow up in the number of transitions 
and the construction of each B^ may take exponential time. The construction is therefore 
exponential. 

We now show that the above definition is correct. 
Property B.6. Given an n-store multi- automaton A, we have = C{Ai^) for all 

Proof. We propose the following induction hypothesis: an accepting run q Q exists in 
A iff there is no accepting run q -—^ Q' in A. We proceed first by induction over n and 
then by induction over the length of the run. 

When n = 1, and the length of the run is zero, the induction hypothesis follows since 
Qf n (Q \ Qf) = 0. When the length of the run is larger than zero, we begin by showing 
the if direction. Assume we have an accepting run, 

q — > Q — > Q 

in A for some a and w. Suppose for contradiction we have a run, 

in A with Q' C Qf. Then, by induction over the length of the run, there are no accepting 
runs over w m. A from any state in Q^. In A we have the transition [q, a,Q'^). By definition 
there is some q' G with q' G and consequently the accepting run Q cannot 

exist in A. We have a contradiction. 

In the only-if direction, assume there is no run, 

q — > Q — > Q 

with Q' C. Qf in A. For all transitions of the form q — ^ (guaranteed to exist since A is 
total) there is no accepting run Q'. Hence, there is some q' G with no accepting 

run over w, and by induction over the length of the run, there is an accepting run from q' 
over It; in ^. 
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Let {{q, a, QJ), . . . ,{q,a, QJ)} be the set of all transitions in A from q over a. For each 
i e {1, e}, let qj e Qj be the state from which there is no accepting run over w in A and 
hence an accepting run over w in A. By definition of A' the transition q {qJ , ■ ■ ■ jQJ} 
exists in A. Hence we have the accepting run, 

Q — '{Ql,---,Qe} — 'Q 

in A as required. 

We now consider the inductive case n > 1. li q = q*j: or qj the result is immediate. 
Similarly, when the length of the run is zero, then the property follows since Q/ n (Q U 
{QfiQf}) \ Qf — 0- Furthermore, since wc have an (accepting) V-transition from q^ for all 
j £ {1, . . . , z} in A i& there is no (accepting) V-transition from q^ in A the result is also 
straightforward in this case. 

Otherwise, in the if direction, assume we have an accepting run, 

q — > Q — > Q 

in A for some 7 and w. Suppose for contradiction we have a run, 

q — > Q — > Q 

in A with Q' C Qf. Then, by induction over the length of the run, there are no accepting 
runs over it; in ^ from any state in Q^. In A wc have the transition (q, B, Q"^) with 7 G 'C(-B), 
hence B must appear positively on the transition in A' from q to (else B appears, and 
by induction over n, 7 ^ C{B)). By definition there is some q' € with q' G and 
consequently the run Q cannot exist in A. We have a contradiction. 

In the only-if direction, assume there is no run, 

with Q' C Qf in A. There are two cases. 

• If there are no transitions q in A then for all q we have 7 G -B by induction 
over n. Hence, in A we have a run, 

q ^qf >Q 

which is an accepting run as required. 

• If there arc transitions of the form q — > Q in A then for each of these runs there is no 
accepting run Q'. Hence, there is some q' € with no accepting run over w, 
and by induction over the length of the run, there is an accepting run from q' over w in 
A. 

Let {{q, Bi, Q* ), ...,{q, B^ Q*), {q, b(, Q^), . . . , (g, B^ Q{)} be the set of all transi- 
tions in A from q such that j G Bj for alH G {1, . . . , e} and 7 ^ b( for alH G {1, . . . , h} 
(and consequently 7 G B^ ). For each z G {1, . . . , e} let qj G Qj be the state from which 
A has no accepting run over ft; in ^ and hence has an accepting run over w in A. By 

definition of A' the transition q {q\, ■ ■ ■ , ql} with B = B{ D . . . D Bin b( n . . . D bI 
exists in A. Hence we have the accepting run, 

q^{q{,...,qi}^Q' 

in A as required. 
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We have shown that A has an accepting run from any state iff there is no accepting run 
from that state in A as required. □ 

Appendix C. Soundness and Completeness for Ao,Ai,... 

In this section we show that the sequence ^ij ■ • • is sound and complete with respect 
to Pre*{Cinit), where Cinit = ^(^o)• 
C.l. Preliminaries. We begin by proving some useful properties of the automaton con- 
struction. These properties assert that the automata constructed from the sets in Qj are 
well-behaved. Once this has been established, we need only consider order-n of the automata 
Aq,Ai,... to show soundness and completeness. Note that since no (7^^^ is accepting, 

any store accepted by some G*^^^ g_^^ has a topi element. 

In order to reason about a particular transition, we need to know its origin. Hence we 
introduce the notion of an inherited and a derived transition. The remaining lemmata fall 
into four categories: 

(1) Lemma IC. 31 shows that inherited runs are sound. 

(2) Lemma IC. 21 shows the completeness of inherited runs. 

(3) Lemma IC. 41 and Lemma IC . 51 show that derived runs are sound. 

(4) Lemma IC. 61 shows the completeness of derived runs. 

Definition C.l. A non-empty run g"^^^^ —^i Q of or —^i Q of Ai can be charac- 
terised by its initial transition. There are two cases, 

• A run of Q^: Then w = aw' and we have g^^^ g_^^ — — >i Q'- If the transition was inherited 
from ql'^^r^ then we say that the run is an inherited run. Otherwise the transition was 
introduced by some S G G*^^^ g^^. We say that the run was derived from 5. 

• A run of Ai: We have w = ^w' and — >i Q' with 7 € C{G). 

If the accepting run of G was inherited, then the run is inherited. If the accepting 
run of G is derived from some S' £ G and S' was added to G by Tx) and the command 0?, 
then the run g'^^^^ g^^ — >i Q is derived from d. 

The language accepted by the sequence ^i) • • • or Q^,G^, . . . is increasing. In par- 
ticular, if q — >i Q exists in Ai, then q — ^j+i Q exists in Ai^i. 

Lemma C.2. 

(1) If 9\q^,Q2) Q is a run of G'^^^ q^-^ for some i (and w / e), then gl^^^Q^-j -^i+i Q is 
a run of Gl'^^^ . 

(2) For all transitions q —^i Q' in Ai for some i, we have the transition q ^^j+i Q' in 
Ai+i. 

(3) For all runs q -^i Q' of Ai for some i, we have the run q ^^j+i Q' in Aj+i. 

Proof. To prove (2) we observe that there are two cases. In the first case, the transition 
from q to Q' is labelled by an automaton B £ B oi V . Because this transition will remain 
unchanged by Tx>, the lemma follows immediately. In the second case, the transition is 
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labelled by q,^ and the property follows directly from (1) and the run g^^^ q,^ Q 
with Q C for [w^] = 7. Since q,^ is not an accepting state, it is the case that 7^ e. 

We note that (3) can be shown by repeated applications of (2). 

Finally, we show (1). The automaton G^^^ q^-^ has the run, 

where w = aw'. 

By definition the automaton G^^^^q^^ has the transition ^(^^Qj) every tran- 

sition 5^^^ Q^s^ Q^. Hence we have the run, 

as required. □ 

Lemma C.3. // a run d^^q^Q^-^ —^i+i Q in G^^^ is inherited, then the run y^^^ Q 
exists in . 

Proof. Observe that an inherited run cannot be empty. We have w = aw' and, 

i+i a n' ^' n 

Since the run is an inherited run, we have 5^^^ —^i Q' in Ql and hence, 

in as required. □ 
Lemma C.4. Suppose the run 9^{^^q^) Q derived from S exists in Q'''^^ and Oi G S. 

We have q^^ Q' in Q"^ , where Q' <ZQ. 

Proof. Observe that, since the run is derived, we have w ^ e. Let w = aw'. We have the 
following run in 

^(91, Q2) ^ ^ ^ 

and by definition, since the run is derived from S and 61 G S, we have q^^ -^i in 
where Q Q^, and hence, 

with Q' C Q as required. □ 
Lemma C.5. Suppose the run ^(^^^Qj) Q derived from S exists in Q'^^^ and there is 

som,e (a, 0,^1) € S. If [w'] = o{[w]), we have q^^ Q' in Qj, where Q' C Q. 

Proof. Since the run is derived, we have w ^ e. We have w = aw" . There is only one value 
of o, o = pushyjp and [w'] = o{[w]) = [wpw"]. We have the following run in G}^^ , 

and by definition, since the run is derived from S and (a, 0,61) G S, we have q^^ —^i in 
Q\ where C Q^, and hence, 

q^^ Q' 
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with Q'j C Q as required. □ 

Lemma C.6. Let S = {ai, . . . , a-m} G ^(gQ)- Given some 7 with topi{'j) = a such that 
for each e G {1, . . . , m} we have, 

• If Ge = 0e then 7e = 7 and 7e S C{9e) 

• Ifae = (b, Oe, Oe) then b = a, Oeij) = 7e and G ^de) 
we have 7 G £(0*^+^^. 

Proof. Let 7 = [aw]. We have Oe = 6*2 or = {a^pushw^,6e). We have, 

• When ae = 9e, the run, 

with Qj C Qj in Furthermore, 7e = 7. 

• When ae = {a,pushw^,6e), the run, 

with Qj Q Qf in Gj. Furthermore, we have 7e = [tt'eU^]- 
Hence, since S S G^jJ^g^ , we have from the definition of the run, 

^Sq) Qi u . . . u q} u . . . u q7 

with Q} U . . . U C Qj. Hence 7 G £(G|+JjP as required. □ 



C.2. Soundness. We show that for any configuration (p', 7) such that 7 G £(j4^^), for 

some i, we have (p', 7) C with C C Cjnit- Let I = {(;^, . . . ,q^}. The fohowing lemma 
describes the relationship between added transitions and the evolution of the order-2 PDS. 

In the following lemma, the restrictions on w' are technical requirements in the case of 
pop2 operations. They may be justified by observing that only the empty store is accepted 
from the state q^, and that, since initial states are never accepting, the empty store cannot 
be accepted from an initial state. 

Lemma C.7. For a given run Q of Ai there exists for any w' satisfying the con- 

ditions below, some C such that {jp , [ww'\) ^ C, where C contains configurations of the 

form {p^,w"w') with q^ — ->o Q' or {p' , V) with q^ —^0 Q' . Furthermore, the union of all 
such Q' is Q. We require 7^ V and, 

(1) IfqjeQ then w' = e, 

(2) If q^ £ Q for some q^ then w' 7^ e. 

Proof. The proof proceeds by induction on i. In the base case i = and the property holds 
trivially. We now consider the case for i + 1. Since Tx> does not add any V-transitions, we 
can assume w ^ SI . 

We perform a further induction over the length of the run. In the base case we have 
w = J (the case w = e is immediate with C = {{p' , [w'])}) and consider the single transition 
q^ — ^j+i Q. We assume that the transition is not inherited, else the property holds by 
Lemma IC.31 and induction over i. If the transition is not inherited, then the run is derived 
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from some d and we have 7 € and the accepting run of G|^/g-| is derived from 

some S G ^(^/q) introduced by during the processing of d. 

Let d = {p^ ,a, {(oi,p'^i), . . . , (0^,^*^™)}). We have {p^ , [jw']) ^ C where, 

C = { {p''^,i) \te{l,...,m} A i = Oti[^w'])} 

U { (p^, V) I if ot{[yw']) with t e {1, . . . , m} is not defined } 

We can decompose the new transition as per the definition of Txi- That is Q = Q'l U 
. . . U Qm- There are several cases: 

• Of = push2- 

By definition of Tjy, we have the run, 

with {Bf} U ^1 U ^2 C S. By Lemma[C31 we have 7 G C{{Bf} U ^1 U ^2)- Hence we have, 

Q * Q 

We have push2['yw'] = [77"^'] and {p^^, [j^/w']) € C. Via induction over i we have the 
set Ct with (p'^*, ot[7ii;']) ^ which satisfies the lemma. 

• Ot =P0P2. 

We have Bf G S". We have, by Lemma [C3l 7 G jO.{Bf). 

If Qi = {g^*} then pop2[jw'] = [w'] since w' is non-empty and = {{p^^, [w'])}. Note 

If = {gj} then w' = e and pop2[7'^'] is undefined. By definition of Tx> we have 

9^' ^0 {q}]- Leta = {(pJ-,V)}. 

• Ot = pushu,. 

By definition, we have g*"'* — Qt in and {a,ot,0) G 5. Hence, by Lemma IC.5[ 
we have ot["y] G /^(^) and the run g * — >j Qt in ylj. Furthermore, it is the case that 

{p^'' , ot[yw']) G C and via induction over i we have a set C with (p'^*, [7^']) ^ Ct 

which satisfies the lemma. 
Hence, we have {p^ , [ww']) ^ C" ^ Ci U . . . U Cm = C where C satisfies the lemma. 

This completes the proof of the single transition case. Let w = ji . . . 7^ and (for any 
Q) let Q = Li Q'^'^ where contains all initial states in Q and = Q\Q^ . We have 
the run, 

q — H+i ^ri — H+i ■ ■ ■ — H+i 
For each q'^ G Q{ we have a run, 

„fc 72 73 7m ^fc 

q ^i+l V2 • • • 

and by induction on the length of the run we have Ck such that {p'^, [72 . • • Jmw']) ^ Ck and 
Cfc satisfies the lemma. Furthermore, since we only add new transitions to initial states, we 
have, 

72 7m ^/ 

Vi >0 • • • >0 '^m 

and = Qm U UgfceQ{ Qm- 

From f/-' ^^i+i Qi we have Ci with {p^ , [ji . . . jmw']) Ci satisfying the lemma. 
Let C( be the set of all {p'^ ,^2 ■ ■ -Imw') G Ci and C{ = Ci\C[. For each g'' G Q{ 
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we have {p^ , [72 . . - ^mw']) G Ci since there are no transitions to initial states in Aq (and 
hence we must have —^0 {o^} to satisfy the conditions of the lemma for Ci). From 
ip^ A12 ■ ■ ■ Imw']) ^ C'fc and since we have qY "^'"> o Q'm^ it is the case that the set 
C = U Uq'=GQ{ Cfc which has (p', [71 . . . "fmW ]) ^ Ci ^ C and satisfies the lemma as 
required. □ 

Property C.8 (Soundness). For any configuration (p-^, 7) such that 7 € C{A^ ) for some 
i, we have (p', 7) ^ C such that C C Cjnit- That is, (p', 7) G Pre*{Cjnit)- 

Proof. Let 7 = [w^]. Since 7 G £{Af) we have a run q-' — with Qf C Qj. Since 
Qf contains no initial states, we apply Lemma IC.7I with w' = e. Therefore, we have 

(pJ, 7) ^ C C C{Aq ). Since ^0 is defined to represent Cinit, soundness follows. □ 



C.3. Completeness. 

Property C.9 (Completeness). For all (p',7) G P'''e*{Cinit) there is some i such that 
7G£(^f). 

Proof. We take (p' , 7) G Pre* {Cjnit) and reason by induction over the length of the shortest 
path (p* , 7) A C with C C Cinit- 

In the base case the path length is zero and we have (p' , 7) G Cinit and hence 7 G 
£(<). 

For the inductive step we have (p^ , 7) Ci C2 with C2 C C/rijf and some i such 
that Ci C £(Aj) by induction. We show 7 G £(A^^-^) by analysis of the higher-order APDS 
command d used in the transition {p> ,7) Ci . 

Let d = {p',a, {{oi,p''^), . . . , (om,p'^'")})- We have 

Ci = { (p^SY) I i e {l,...,m} A 7' = ot(7) } 

U { (p', V) I if Ot(7) with t G {1, . . . , m} is not defined } 

By induction we have for each e G {1, . . . ,m} that q^" ""'^'^^ ^ Q'j with Q'j C in Ai if 

Oe(7) = [^^oe(7)] is defined. Otherwise we have q^ {q^^} in A^. 

Let 7 = [7'tL']. We have S" = 5]^ U . . . U and Q' = Qi U . . . U where, for each 
e G {!,... ,m}, 

• When Oe = push2, o^i'j) = [7'7'w]. Additionally, we have the transitions, 

fc^ si ^/ ^ 

in Ai where 7' G C{{Bf,9l} U 0g). Furthermore, we have the run Qe —^i Q% with 



.fee , 



Q} C and 5^ = {Bf, 61} U 

When Og = pop2. If 02(7) = [if], we have the run, 

in with Q) C Q^, 5^ = 7' G £(Sf) and Qe = {g^'^}- 

If Oe(7) is undefined we have w = e and the run, 

g^' -^i {q)} 
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if Ai. Hence we have S'^ = {5f }, 7' e C{Bf) and Q^ = Q''f = {qj}. 

6' 

• When Oe = push^, and we have Oe(7) = [oe{'y')w], and the transition q'^" —^i Qe and 
run Qe with C in A^. Additionahy, Oe{i) € /:(6';) and 5^ = {{a,Oe,e'^)}. 

Hence, by definition of A^+i, we have the transition, 

G 

q' Qi U . . . U Q m 

with S' (z G and by Lemma IC .61 o'^ G ^{G)- Hence we have the run, 

q^ -^i+i Qi U . . . U Q} U . . . U 

with Q) U ... U Qf (1 Qf in Ai+i. That is, 7 G jO{Af_^^) as required. □ 



Appendix D. Proofs for A* 

In this section we provide a proof of Lemma [3.81 The main idea of the proof is that the 
loops in can simulate, correctly, the prefix of any run in and vice- versa. That is, a 
run in begins by traversing it's initial loops before progressing to its accepting states. If 
we unroll this looping we will construct a run of for a sufficiently large i'. In the other 
direction, the prefix of a run in G^ can be simulated by the initial looping behaviour of G^- 

We begin by proving a small lemma that will ease the remaining proofs. 

Lemma D.l. Given ^ ^ ~^iy Qy Z^*" V ^ • • • , ^} for some h, let imax be the 
maximum iy. We have {5(™q,), • • -'5(^0^} ^ Uye{i,...,M Qy 

Proof. By Lemma [0.21 we have 5(™q ) —^imax Qy foi' each y E {1, . . . ,h}. Hence we have 

the run as required. □ 



D.l. Proofs of Lemma 13.81 

Lemma D.2. There exists some io such that G^ = G^" for all i> iq. Furthermore, we have 
the run S^^^q/^ —^i Qf with Qf Qf for some i iff we have ^(gQ/) ~~^io Qf in G^° . 

Proof. This is a simple consequence of the finiteness of S and that ^gn[i^/jj_i] only adds 
transitions and never states. The automaton will eventually become saturated and no new 
transitions will be added. □ 
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Lemma D.3. For all w, if 9\qQi) Qi with Qi C Qf is a run in for some i, then 
we have g^^^Q/-^ -^io Q'2 Q2 Q Qf in C/*". 

Proof. We prove the following property. For any path S^^qQ/-^ —^i {qii ■ ■ ■ ^Qh] in Q^i we 
have a path c/|i -^i^ {g^, . . . ,g)^} in with, 

= 4<i',Q") ^"^^ ^' - ^1 
Qy otherwise 

for all y G {!,..., /i}. Since q-j, = qj for all qf G Qf, the lemma follows. When Q = 

{qi, . . . , qji} we write Q' to denote the set {q[, . . . , q\^}. 

There are two cases. When i < ii, then using that we have only added transitions to 

Q^^ to define and that q'y = qy for all y, we have q,^ —^io {^i; • ■ • ) Qh} 

We now consider the case i > ii. We begin by proving that for a single transition, 

in with 6 G S, we have the following transition in g,^, 

^lq,Q') {^i' ■ ■ -^Ih} 

We consider the source S = {ai, . . . ,am} G ^IqQ') transition from g\^qQiy Since 

^\q,Q') ~ ^® ^^'^^ S[ii/i-l] G Furthermore, we have {qi, ...,qh} = 

Qi U . . . U Qm- For e G {1, . . . , m} there are two cases, 

• If ae = ^, then let g = q^. We have g — ^j-i Qe exists in Q\~^. By induction over i we 

have 5' Q[ in . 

• = {o.,pushwp,0). Then b = a. Let = q^ . By definition of Tgi^^.^^.^_-^^^, we have the 

path g — ^i-i Qe in Q^. By induction on i we have the path g' — in C/*". 
We have Q[u. . .UQ[„ = {q^, . . .,q-^}. Since G^^^^q/) ^ and S[ii/i-l] G 

1], by definition of we have, 

^{?,Q') {ft' • • • 

in as required. 

We now prove the result for a run of more than one step by induction over the length 
of the run. In the base case we have a run of a single transition. The result in this case has 
already been shown. 

In the inductive case we have a run of the form, 

9{q,Q') ill' ■ ■ ■ 'IhiS ■ ■ ■ XQl 5 • • • 'Ihmi 

in Q''. For each y G {1,... ,hi} we have a run qy "'l:::^ ■ Qy such that UyG{i hi}Qy ~ 
{q^, . . . , QhL,^' induction over the length of the run we have qy <^i:::^ ,^ £qj. gg^^jj y 
Hence, since we have g^^^^ q,-^ —^io {Qij ■ ■ ■ iQhi} from the above proof for one transition, we 
have a run of the form, 

ii ap , J !1 !1 1 "1 , rJm '.rn \ 
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in as required. □ 
Lemma D.4. For all w, if we have d^f^qQi-^ —^i Qf with Qf ^ Qf in for some i, then 
there is some i! such that the run g^^gQ/-^ —^i' Qf exists in . 

Proof. We take a run of Q)^^ Q,y 

We show that for all > ii, there is some i"^ > i^ such that, 

w r ? ?i 

9(q,Q') • • -yQhi 

™ ^\q,Q') ^^^6^6' for y G {1, . . . , /i}, 



Qy otherwise 



Since q'j = qj for all qj E Qj, the lemma follows. For a set Q = {qi, . . . ,qh} we write 
Q- = {qi,...,ql}. 

The proof proceeds by induction over i. In the base case i < ii and the property holds 
by Lemma IC. 21 and since = Ql^ and there are no incoming transitions to any g^^, g,,^ in 

In the inductive case, we begin by showing for a single transition. 



in G'^gQ') with 6 G E, we have, for all i^ > ii, there is some > i^ such that, 

9{q,Q') — 'i^ i^i' • • • 

in G'^^gQiy We analyse the 5 G G*!^ g,-j [ii/ii — 1] that spawned the transition from 9'(gQ/') 
(we assume the transition is new, else the property holds by induction). 

Let S = {ai, . . . , Urn}- We have {qi, . . . , qh} = Qi U . . . U Qm- For each e G {1, . . . , m}, 
there are several cases, 

• ae = 6- 

Let ge = q^ ■ By definition of Q"^ we have the transition — Qe in 

If = G^i^^, Q,,^ then by induction we have i^ > i^ such that g,,^ ~~^'ti Ql 

Otherwise is initial in some B ^ B and the transition g^ Qe also exists in 



b 7 

and is the same as ge — >o Qe- Let We = b. 
Oe = {a,pushwp,0). Then b = a. 

Let ge = q^ ■ By definition of Q"^ we have the run ge — ^i-i Qe in Q^~^ ■ 

li 9 = G^^^, Q,,-^ then by induction we have i^ > i^ such that g,,^ — Ql in 

Otherwise (7e is initial in some B £ B and the transition ge — ^i-i Qe also exists in 
and is the same as ge — Ql- Let We = Wp. 
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Let imax be the maximum ig. If Qe = aH'^Q"), we have, by Lemma [C21 -^imax Ql- 

Also, by Lemma rC.2l we have ge —^imax Ql when ge is not of the form g,,^. Since we have 
^{Tq'V - ^iim ^^^^ S[imax/h - 1] G and since Q- U . . . U = {g- , . . . , g^} 



we have, 



y{q,Q') ^tmax + l lyi' • • • 1 y/ij" 



in Let = imax + 1 and we are done in the case of a single transition. 

We now expand the result to a complete run by induction over the length of the run. 
That is, we take a run of Q,y 

and show that for all > ii there is some > such that, 

j2 w ^7 7 1 

5(g,Q') iQ'l, • • • 

The base case has already been shown. We now consider the run, 

^{g,Q') "-^1' ■ ■ • '^^iJ • • • ' • • • 

We have "-1:::!!^ ^ Qy for each y G {1, . . . , /ii} and Uj;g{i,...,/ii} <3y = i^™' ■■■^IhrJ- Then 
for all y S {1, . . . , /ii} via induction and Lemma iD.ll we have for all > ii an imax with 

We then use the result for a single transition to obtain the result for the complete run. That 
is, we have for imax an > imax such that, 

i2 on J ?1 n\ r ?m ^mi 

exists in as required. □ 



Appendix E. Applications: Proofs and Definitions 
E.l. Proof of Proposition 14. ll 

Proof. We show a higher-order Biichi PDS has an accepting run iff the following condition 
holds: let c be a configuration of an order-n Biichi PDS BP. There is an accepting run in 
BP from c iff there exist distinct configurations (j>',["'a]") and (^^,72) with ^0^1(72) = a 
and configuration (^-^,71) such that (z J- and, 

(1) c {p^ ,^3) for some 73 with topi(73) = a, and 

(2) (p:'-,["a]") A(p/,7i) A(p^72) 

^: Every higher-order stack may be flattened into a well bracketed string, as per 
Definition 12.11 Given a suffix of an n-store w, let comp{w) be a number of symbols "[" 
added to the beginning of w to form an n-store proper. 

Given an accepting run of BP p = cqCi . . there exists a sequence of suffixes wi,W2, . . . 
such that there exists an increasing sequence of natural numbers ii,i2, ■ ■ ■ and for all j > 
and i > ij Ci has a stack with the suffix wj. Additionally Ci. has the n-store comp{wj) and 
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Wi is a suffix of Wj for all i < j (it may be the case that Wi = Wj). Take the sequence 
Cj^Cjj .... Due to the finiteness of V and S there must be p, a with an infinite number of Ci- 
with control state p and a stack whose topi element is a. Furthermore, since p is accepting, 
we must have distinct Cj^ and Ci^ with p as their control states and a as the topi element, 
with a c/ whose control state is p-^ G J^, and, 

* * * 

Co ^ c/ Ci, 

We have (1) from cq ^ Q^. By definition of Ci-^,Ci2 ... we have = {p,comp{wi^)) and all 
configurations between Cj^ and Cjj^ have the suffix wi^. This implies, 

with topi{v) = a. Hence, (2) holds as required. 

From (1) we have c ^ (p, 71) with topi(7i) = a. From (2) we can construct a path, 

with p^ ^ T and topi(74) = o for any 72 with ^0^1(72) = a. Thus, through infinite 
applications of (2), we can construct an accepting run of BP. □ 

E.2. Proof of Lemma 14.31 

if. 

Proof. We begin by showing that if (p, ["a]") satisfies ([2]), then a run ((p, 0), ["a]") ^ 
{{p, 1),7) with 7 G exists in SP'. The run over BP satisfying ([2]) can be split into 

two parts, 

{p, [«a]") A(/,7^) A(p,7) 

with 7 G C{Bn) and p-^ is the first accepting state seen in the run. We consider each part 
separately. 

• Suppose we have a run, 

(PO,7o) ^ . . . ^ (Pm,7m) 

such that Pm is the only accepting control state in the run. This run is derived from a 
sequence of commands di, . . . , dm- Let di = (pi-i, ai,Oi,pi) for all z G {!,..., m}. We 
show the run, 

((Po,0),7o) ^ ...^ ((Pm,0),7m) 
exists in BP' by induction over m. In the base case m = and the result is trivial. 
Suppose we have, 

((Pi,0),7i) ^ ...^ ((Pm,0),7m) 
by the induction hypothesis. Since di = {po, ai, oi,pi) and pQ ^ J^, we have that 
{{po, 0), ai, oi, (pi, 0)) is in V. Hence we have the run, 

((Po,0),7o) ^ ...^ ((Pm,0),7m) 

as required. 
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• We have {p-^,"ff) € x C^) n Pre^{{p} x C{B^))), we show there exists the run 
((P^,0),7/) ^ ((P,l),7) in BP' with 7 e £(5^). 

We have the run {p^ ,"ff) ^ (^77) in BP with 7 € C{B^). This run is of the form, 

(PO,7o) ^ (Pl,7l> ^ • • • (Pm,7m> 

with m > 1, po = P^ , lo = 7/) = P and 7^ = 7- The run is the consequence 
of a sequence of commands di,...,dm- Let di = {pi_i,ai,Oi,pi). Since pq & we 
have ((poi 0), ai, oi, {pi, 1)) in P' by definition. Furthermore, for i G {2, . . . , m} we have 
{{pi-i, 1), aj, Oj, (pi, 1)) in V'. We have the run 

((PO,0),7o) "-^ ((Pl, l),7l) ^ - --^ {{Pm, l),7m) 

in BP' therefrom. 
The proof of this direction follows immediately. 

We now consider the proof in the opposite direction. Suppose we have {{p, 0), ["a]") ^ 
{(p, 1),7) with 7 G C{B^). From the definition of D' it follows that the run is of the form, 

((p,0),ran ^ ... ^ ((/,0),7/) ((P,l),7'> ((P,l),7) 

where the second element of each control state/fiag pair changes only in the position shown. 
Furthermore, p-^ is the first occurrence of an accepting control state in BP. This run is the 
result of a sequence of commands di, . . . , dm where m > 1. From a simple projection on the 
first element of each control state/flag pair, we immediately derive a sequence commands 
d'l, . . . ,dm in V and the following run oi BP, 

{p, ["«]") ^...^{pf,^j)^ {p', V) ^ . . . ^ (p, 7) 

Since {p-^ ,jf) and [p', 7') must be distinct, the existence of this run implies {p, ["a]") satisfies 
©. □ 



E.3. Proof of AttrEin) = Pre*{TZ') \ C\. 

Proof. We show AttrE{Tl) = Pre*{n')\C\. We begin by proving Attrij (71) ^ Pre*{n')\C\. 
Take a configuration (p, 7) G Pre*{7l') We show (p, 7) G AttrEiTZ) by induction 

over the shortest path (p, 7) ^ C of the order-n APDS with C QTZ'. 

For the base case, we have (^J, 7) G 7^' \ C^. Hence, (p, 7) G AttrEilZ) since 7^ C 

A^^rE(7^). 

Now, suppose we have {p, 7) C via the command d = (p, a, OP) in the higher-order 
APDS with C G Pre*(JZ) \ and by induction C C Attr^^iJZ) for some i. There are two 
cases, 

• If p G Va then for each {o,p') G OP and hence each move {p, a, o,p') in the higher-order 
PDS we have a corresponding (p',7') G C. We have either (p',7') G Pre*{TZ') \ or we 
have (p',7') = (p, V). 

If we have (p',7') G Pre*{TZ') \ then (p',7') G Attr^^{TZ) for some i by induction. 
If we have (p', 7') = {p, V) then 0(7) is undefined. Hence {p, a, o,p') is not a valid move 
for Abelard. 

Hence we have (p, 7) G Ca and Vc'.(p, 7) ^ c' =^ c' G Attr^^{TZ) which implies (p, 7) G 
^^^r^^(7^) C AttrE{n). 
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• IfpeVs then C = {{p', 0(7))} and {p, a, o,p') G V. Thus, we have 3c'. {p, 7) ^ c' A c' G 
Attr)^{n) and (^,7) G Ce- Therefore (^,7) G A^^r^^(7^) C AttrE{Tl)- 

Thus, we have AttrE{TVj 5 Pre*{TZ') \ as required. 

To show AttrE{H) C Pre*{n') \ we induct over i in AttrE{Tl) = {Ji^f^ Attr^iTl). 
When i = we have Attr%{n) = U <^n' \ C\<^ Pre*{n') \C\. For i > 1 there are two 
cases for all c such that c ^ ylttr^^(7^) and c G ^tfr^(7^), 

• c G { c G Cg I 3c'.c c' A c' G A^^r^^(7^) }. 

Hence there is some command d = (p,a,o,p') in the higher-order PDS and command 
{p, a, {(o, p')}) in the higher-order APDS. By induction c' G Pre* {TZ') \ C\ and c = {p, 7) 
and c' = (y, 0(7)). Hence c G Pre*{lZ') \ C\. 

• c^{c^Ca \ Vc'.c c' ^ c' G ^^^ri^^(7^) }. 

Let c = (p, 7). We have d = {p,a,OP) in the higher-order APDS such that for all 
moves {p,a,o,p') we have {o,p') G OP. If 0(7) is defined, we have (p, 7) ^ (^',0(7)) and 
(^',0(7)) G Pre* (TZ') by induction. If 0(7) is undefined, then since we have (p, V) G 7?.' 
we have (p, V) G Pre* (TZ'). 

Thus, we have {p, 7) ^ C via an application of the command d such that C Q 
Pre*{TZ'). Hence (p, 7) G Pre*{JZ') and since 7 7^ V, we have (p, 7) G Pre*{JZ') \ C\ 
as required. 

Thus, we have AttrE{TZ) = Pre*(7^') \ □ 
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